In October 2024, security researcher Ben Sadeghipour was analyzing Facebook’s ad platform when he found a security vulnerability that allowed him to run commands on the internal Facebook server housing that platform, essentially giving him control of the server.
After he reported the vulnerability to Facebook’s owner Meta, which Sadeghipour said took just one hour to fix it, the social networking giant awarded him $100,000 in a bug bounty payout.
“My assumption is that it’s something you may want to fix because it is directly inside of your infrastructure,” Sadeghipour wrote in the report he sent to Meta, he told TechCrunch. Meta responded to his report, telling Sadeghipour to “refrain from testing any further” while they fix the vulnerability.
The issue, according to Sadeghipour, was that one of the servers that Facebook used for creating and delivering ads was vulnerable to a previously fixed flaw found in the Chrome browser, which Facebook uses in its ads system. Sadeghipour said this unpatched bug allowed him to hijack it using a headless Chrome browser (essentially a version of the browser that users run from the computer’s terminal) to interact directly with Facebook’s internal servers.
Sadeghipour, who found the Facebook vulnerability working with independent researcher Alex Chapman, told TechCrunch that online advertising platforms make for juicy targets because, “there’s so much that happens in the background of making these ‘ads’ — whether they are video, text or images.”
“But at the core of it all it’s a bunch of data being processed on the server-side and it opens up the door for a ton of vulnerabilities,” said Sadeghipour.
The researcher said he didn’t test out everything he could have done once inside the Facebook server, but “what makes this dangerous is this was probably a part of an internal infrastructure.”
“Since we have code execution, we could’ve interacted with any of the sites within that infrastructure,” said Sadeghipour. “With an [remote code execution vulnerability], you can bypass some of these limitations and also directly pull stuff from the server itself and the other machines that it has access to.”
Meta spokesperson Nicole Catalano acknowledged receipt of TechCrunch’s request for comment, but did not comment by press time.
Sadeghipour also said that similar ad platforms that other companies run, and which he has been analyzing, are vulnerable to similar vulnerabilities.
