Facebook gives researcher $100,000 to find bug that grants inside access
In October 2024, a security researcher Bin Sadiqipour He was analyzing Facebook’s advertising platform when he discovered a vulnerability that allowed him to run commands on the internal Facebook server that houses that platform, essentially giving him control of the server.
After Meta, the owner of Facebook, reported the vulnerability, which Sadeghipour said took only one hour to fix, the social networking giant awarded him a $100,000 bounty for discovering the bug.
“My assumption is that it is something you might want to fix because it exists directly within your infrastructure,” Sadeghipour wrote in the report he sent to Meta, he told TechCrunch. Meta responded to his report, asking Sadeghipour to “refrain from further testing” while the vulnerability is fixed.
The problem, according to Sadeghipour, was that one of the servers Facebook uses to create and serve ads was vulnerable to a previously fixed flaw found in the Chrome browser, which Facebook uses in its advertising system. Sadeghipour said this unpatched bug allowed him to be hacked using the headless Chrome browser (essentially a version of the browser that users launch from a computer terminal) to interact directly with Facebook’s internal servers.
Sadeghipour, who discovered the Facebook vulnerability in collaboration with independent researcher Alex Chapman, told TechCrunch that online advertising platforms are targeting targets because “there’s a lot going on in the background of creating these ‘ads’ — whether it’s video, text or images.” “.
“But at the core of it all, there is a bunch of data being processed on the server side, which opens the door to a lot of vulnerabilities,” Sadeghpour said.
The researcher said he did not test everything he could have done at once inside the Facebook server, but “what makes this dangerous is that it may have been part of the internal infrastructure.”
“Because we had the code implementation, we could interact with any of the sites within that infrastructure,” Sadeghipour said. “with [remote code execution vulnerability]You can bypass some of these restrictions and also pull things directly from the server itself and other devices that have access to it.
Meta spokeswoman Nicole Catalano acknowledged receipt of TechCrunch’s request for comment, but had not commented by press time.
Sadeghipour also said that similar ad platforms run by other companies, which he was analyzing, were vulnerable to similar vulnerabilities.
