Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Security researcher in October 2024 Ben Sadeghipour while he was analyzing Facebook’s advertising platform, he discovered a security vulnerability that allowed him to execute commands on the internal Facebook server that hosted that platform, giving him control over the server.
According to Sadeghipour, the Facebook owner took just an hour to fix the vulnerability after he reported it to Meta, with the social networking giant offering him a $100,000 bug bounty.
“My guess is that this is something you might want to fix because it’s right inside your infrastructure,” Sadeghipour told TechCrunch in a report to Meta. Meta responded to the report and told Sadeghipour to “refrain from further testing” while fixing the vulnerability.
According to Sadeghipour, the problem is that one of the servers Facebook uses to create and deliver ads is vulnerable to a previously identified flaw in the Chrome browser used in Facebook’s advertising system. Sadeghipour said that this unpatched bug allowed him to hijack it by using the headless Chrome browser (essentially the version of the browser that users run from a computer terminal) to communicate directly with Facebook’s internal servers.
Sadeghipour, who discovered the Facebook vulnerability working with independent researcher Alex Chapman, told TechCrunch that online ad platforms make for juicy targets because “there’s so much going on in the background of making those ads — whether it’s video, text, or images. .”
“But at the heart of it all is a lot of data being processed on the server side, and that opens the door to a ton of vulnerabilities,” Sadeghipour said.
The researcher said he hasn’t tested everything he can do once on Facebook’s server, but “what makes it dangerous is that it’s probably part of the internal infrastructure.”
“Because we have code execution, we could communicate with any site in this infrastructure,” Sadeghipour said. “With (remote code execution vulnerability), you can bypass some of these restrictions and also extract material directly from the server itself and other machines it accesses.
Meta spokeswoman Nicole Catalano acknowledged TechCrunch’s request for comment, but did not comment at press time.
Sadeghipour also said that similar ad platforms operated by other companies and analyzed by him are vulnerable to similar vulnerabilities.
