Researcher receives a big reward for finding a Facebook bug that can unlock the gates to his internal systems
- A security flaw found in Facebook’s advertising platform has been fixed by Meta
- The researcher who discovered the bug was awarded a $100,000 bug bounty
- This mistake allowed the researcher to effectively take control of a Facebook server
Meta has awarded cybersecurity researcher Ben Sadeghipour a $100,000 bug bounty after he discovered a security vulnerability on Facebook’s advertising platform in October 2024.
The flaw allowed Sadeghipour to execute commands on the internal Facebook server where the platform was housed, giving him control over the server.
According to Sadeghipour, the unpatched bug allowed him to hijack the server using a headless Chrome browser, a version of the browser that users use from the computer’s terminal to communicate directly with Facebook’s internal servers.
Part of broader researcher
The platform flaw was connected to a server that Facebook used to create and deliver ads, which was vulnerable to a previously fixed flaw in the Chrome browser, which Facebook uses in its advertising system.
Sadeghipour told TechCrunch Online advertising platforms are attractive targets because “so much goes on in the background of creating these ‘ads’ – whether it’s video, text or images.”
“But at the heart of it all is a lot of data being processed on the server side and this opens the door to a lot of vulnerabilities,” Sadeghipour said.
The researcher confirms that he did not test everything he could have once he was in the server, although “what makes this dangerous is that this was probably part of an internal infrastructure.”
After reporting the vulnerability to Meta, it took just an hour to fix the bug, Sadeghipour said, noting that his discovery was part of “ongoing research into a specific application with a specific purpose.” This bug in particular took him a few hours to identify, but Meta worked with him to quickly patch the bug and offered a reward “way above” expectations, he confirmed in a LinkedIn message.
Bug bounties have been on the rise lately, with Google dramatically increasing rewards for researchers who participate in the program, making security research increasingly lucrative.