In October 2024, cybersecurity researcher Ben Sadeghi uncovered a critical vulnerability in Facebook’s advertising platform, enabling the execution of commands on the company’s internal server. This flaw effectively granted full control over the server.
Sadeghi promptly reported the issue to Meta, which resolved it within an hour. As recognition for his efforts, he received a $100,000 reward under the Bug Bounty program. In his report to Meta, Sadeghi emphasized the urgency of addressing the vulnerability due to its direct connection to the company’s internal infrastructure. Meta responded swiftly and requested the researcher to refrain from further testing until the fixes were fully implemented.
The root cause of the vulnerability was traced to a previously patched flaw in the Chrome browser, utilized within Facebook’s advertising system for creating and delivering ads. Sadeghi noted that the exploit allowed for interactions with Facebook’s internal servers via a headless Chrome browser.
Collaborating with independent researcher Alex Chapman, Sadeghi explained that advertising platforms are frequent attack targets due to the intricate server-side processes involved. Tasks such as creating and managing video, text, and graphic ad materials can expose multiple vulnerabilities.
Sadeghi acknowledged that he had not tested every potential exploitation scenario but highlighted the significant risks posed by the flaw. The vulnerability allowed not only access to an individual server but also to interconnected infrastructure resources. Through Remote Code Execution (RCE), attackers could bypass system restrictions and gain access to data on additional servers.
The researcher remarked that similar vulnerabilities might exist within advertising platforms of other companies, further underscoring the broader implications of this discovery. At the time of publication, Meta declined to provide detailed comments, confirming only that they had received an inquiry from journalists.
