Facebook Awarded $100,000 for Bug that Allows Internal Access to Server

Facebook has awarded a $100,000 bug bounty to security researcher Ben Sadeghipour for discovering a critical vulnerability in the company’s ad platform.

The flaw, identified in October 2024, allowed Sadeghipour to execute commands on Facebook’s internal server, effectively granting him control over the system.

Sadeghipour, working alongside independent researcher Alex Chapman, uncovered the vulnerability while analyzing Facebook’s advertising infrastructure.

The issue stemmed from an unpatched bug in the Chrome browser, which Facebook utilizes in its ad system. This oversight enabled Sadeghipour to exploit the flaw using a headless Chrome browser, facilitating direct interaction with Facebook’s internal servers.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

The severity of the vulnerability became apparent when Sadeghipour realized the potential scope of access. “What makes this dangerous is this was probably a part of an internal infrastructure,” he explained to Techcrunch.

“Since we have code execution, we could’ve interacted with any of the sites within that infrastructure.”

Upon receiving the report, Facebook’s parent company, Meta, acted swiftly, addressing the vulnerability within an hour. The social media giant instructed Sadeghipour to cease further testing while they implemented a fix.

This incident highlights the critical importance of bug bounty programs in identifying and mitigating potential security threats. Facebook’s bug bounty program, established in 2011, has paid out more than $16 million to date, demonstrating the company’s commitment to cybersecurity.

Sadeghipour emphasized the attractiveness of online advertising platforms as targets for security researchers. “There’s so much that happens in the background of making these ‘ads’ — whether they are video, text, or images,” he noted. “But at the core of it all it’s a bunch of data being processed on the server-side and it opens up the door for a ton of vulnerabilities”.

As online platforms continue to evolve and expand, the need for robust security measures and collaborative efforts with the cybersecurity community becomes increasingly crucial.

While Meta has not provided an official comment on the incident, the substantial bounty awarded underscores the significance of Sadeghipour’s finding.

As companies continue to rely on bug bounty programs to enhance their security posture, this case stands as evidence of the value of ethical hacking in safeguarding digital ecosystems.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!