A security flaw found in Facebookâs ad platform has been fixed by Meta
The researcher who discovered the flaw was awarded a $100,000 bug bounty
The flaw allowed the researcher to effectively take control of a Facebook server
Meta has awarded cybersecurity researcher Ben Sadeghipour a bug bounty of $100,000 after he discovered a security vulnerability on Facebookâs ad platform in October 2024.
The flaw allowed Sadeghipour to run commands on the internal Facebook server which housed the platform, giving him control of the server.
According to Sadeghipour, the unpatched bug allowed him to hijack the server using a headless Chrome browser, which is a version of the browser users run from the computerâs terminal, to interact with Facebookâs internal servers directly.
Part of wider researcher
The flaw in the platform was connected to a server that Facebook used to create and deliver ads, which was vulnerable to a previously fixed flaw found in the Chrome browser, which Facebook uses in its ad system.
Sadeghipour told TechCrunch online advertising platforms are attractive targets because âthereâs so much that happens in the background of making these âadsâ â whether they are video, text, or images.â
âBut at the core of it all itâs a bunch of data being processed on the server-side and it opens up the door for a ton of vulnerabilities,â Sadeghipour said.
The researcher confirms he didnât test out everything he could have once he was inside the server, although âwhat makes this dangerous is this was probably a part of an internal infrastructure.â
After reporting the vulnerability to Meta, the bug took just an hour to fix, Sadeghipour said, noting his discovery was part of âongoing research on a specific application with a specific purposeâ. This flaw in particular took him a few hours to identify, but Meta worked with him to quickly patch the bug and offered a bounty that was âway beyondâ expectations, he confirmed in a LinkedIn post.
Bug bounties have been on the rise recently, with Google drastically increasing its rewards for researchers who participate in the program, so security research is getting more lucrative.
You might also like
The post Researcher nets major reward for finding Facebook bug able to unlock the gates to its internal systems appeared first on World Online.
