Facebook Bug Bounty: Researcher Awarded $100,000

Facebook Ad Platform Vulnerability Awarded $100,000 Bug Bounty

In October 2024, Ben Sadeghipour, a security researcher, discovered a security flaw while examining Facebook's advertising platform. This vulnerability permitted the execution of commands on the internal server responsible for the platform.

Effectively, Sadeghipour gained control over the server itself. He promptly reported this issue to Meta, Facebook’s parent company.

Rapid Response and Bug Bounty

Meta addressed the vulnerability within an hour of the report, according to Sadeghipour. As a reward for his discovery, Facebook issued a bug bounty payout of $100,000.

Sadeghipour communicated his concerns to Meta, stating the issue warranted immediate attention due to its location within their core infrastructure.

Root Cause of the Vulnerability

The vulnerability stemmed from an unpatched flaw in a server utilized for ad creation and delivery. This flaw was originally identified and resolved in the Chrome browser.

Facebook leverages Chrome within its advertising system, and this oversight allowed Sadeghipour to exploit the weakness.

Exploitation Method

Sadeghipour utilized a headless Chrome browser – a browser version operated via the computer’s command line – to interact directly with Facebook’s internal servers.

This allowed him to hijack the server and potentially gain access to sensitive data and systems.

Advertising Platforms as Prime Targets

Working alongside independent researcher Alex Chapman, Sadeghipour highlighted the inherent risks associated with online advertising platforms.

He explained that the complex processes behind ad delivery – encompassing video, text, and images – create numerous opportunities for vulnerabilities.

“At the core, it’s data processing on the server-side, which introduces a multitude of potential weaknesses,” Sadeghipour stated.

Potential Impact of the Breach

While Sadeghipour refrained from fully exploring the extent of his access, he emphasized the danger posed by the vulnerability.

The ability to execute code granted the potential to interact with various internal sites within Meta’s infrastructure.

A remote code execution vulnerability like this could bypass security limitations and facilitate direct data extraction from the server and connected machines.

Meta’s Response

Nicole Catalano, a Meta spokesperson, confirmed receipt of a comment request from TechCrunch but did not provide a statement at the time of publication.