In October 2024, security researcher Ben Sadeghipour discovered a significant security vulnerability within Facebook’s ad platform. The flaw allowed him to execute commands on an internal Facebook server hosting the ad platform, effectively granting him control over the server. Upon discovering this vulnerability, Sadeghipour promptly reported it to Meta, which resolved the issue within an hour. In recognition of his efforts, Meta awarded Sadeghipour a $100,000 bug bounty.
The vulnerability discovered was a remote code execution flaw, a type that enables attackers to bypass security limitations and extract data from servers and connected machines. This particular flaw was linked to a previously addressed issue in the Chrome browser. Facebook utilizes a headless Chrome browser to communicate with its internal servers, and Sadeghipour exploited this feature to hijack the server.
“With an [remote code execution vulnerability], you can bypass some of these limitations and also directly pull stuff from the server itself and the other machines that it has access to.” – Sadeghipour
During his analysis of Facebook’s ad platform, Sadeghipour collaborated with independent researcher Alex Chapman. Together, they identified the vulnerability while examining the platform’s operations. Although Sadeghipour did not explore all potential actions he could have taken within the Facebook server, he emphasized the vulnerability’s potential origins in Facebook’s internal infrastructure.
“What makes this dangerous is this was probably a part of an internal infrastructure.” – Sadeghipour
Online advertising platforms are often regarded as “juicy targets” for cyber attackers due to the vast data they process. Similar vulnerabilities could potentially exist in other companies’ advertising platforms, posing widespread security risks.
“There’s so much that happens in the background of making these ‘ads’ — whether they are video, text or images.” – Sadeghipour
Sadeghipour highlighted that at the core of these platforms is extensive data processing on the server side, which opens the door to numerous vulnerabilities.
“At the core of it all it’s a bunch of data being processed on the server-side and it opens up the door for a ton of vulnerabilities.” – Sadeghipour
Author’s Opinion
Ben Sadeghipour’s discovery of a remote code execution vulnerability within Facebook’s ad platform underscores the perpetual arms race in cybersecurity between technology companies and potential attackers. This incident not only highlights the ongoing vulnerabilities within complex digital platforms but also the critical role that ethical hackers play in securing digital infrastructures. As companies continue to rely heavily on vast quantities of data and complex systems to drive advertising and revenue, the importance of robust security measures and rapid response teams like those at Meta becomes increasingly evident. Such incidents serve as a reminder of the ever-present need for vigilance in the digital age, where security is not just about protection but about maintaining trust and operational integrity.
