Researcher nets major reward for finding Facebook bug able to unlock the gates to its internal systems
- A security flaw found in Facebook’s ad platform has been fixed by Meta
- The researcher who discovered the flaw was awarded a $100,000 bug bounty
- The flaw allowed the researcher to effectively take control of a Facebook server
Meta has awarded cybersecurity researcher Ben Sadeghipour a bug bounty of $100,000 after he discovered a security vulnerability on Facebook’s ad platform in October 2024.
The flaw allowed Sadeghipour to run commands on the internal Facebook server which housed the platform, giving him control of the server.
According to Sadeghipour, the unpatched bug allowed him to hijack the server using a headless Chrome browser, which is a version of the browser users run from the computer’s terminal, to interact with Facebook’s internal servers directly.
Part of wider researcher
The flaw in the platform was connected to a server that Facebook used to create and deliver ads, which was vulnerable to a previously fixed flaw found in the Chrome browser, which Facebook uses in its ad system.
Sadeghipour told TechCrunch online advertising platforms are attractive targets because “there’s so much that happens in the background of making these ‘ads’ — whether they are video, text, or images.”
“But at the core of it all it’s a bunch of data being processed on the server-side and it opens up the door for a ton of vulnerabilities,” Sadeghipour said.
The researcher confirms he didn’t test out everything he could have once he was inside the server, although “what makes this dangerous is this was probably a part of an internal infrastructure.”
After reporting the vulnerability to Meta, the bug took just an hour to fix, Sadeghipour said, noting his discovery was part of ‘ongoing research on a specific application with a specific purpose’. This flaw in particular took him a few hours to identify, but Meta worked with him to quickly patch the bug and offered a bounty that was ‘way beyond’ expectations, he confirmed in a LinkedIn post.
Bug bounties have been on the rise recently, with Google drastically increasing its rewards for researchers who participate in the program, so security research is getting more lucrative.