Uncovering a Facebook Ad Platform Vulnerability: A Cautionary Tale
In October 2024, a security researcher named Ben Sadeghipour stumbled upon a significant vulnerability within Facebook’s ad platform. This discovery was no small feat—it allowed him to execute commands on an internal Facebook server, effectively granting him control over it. Upon identifying this critical flaw, Sadeghipour promptly reported it to Meta, Facebook’s parent company. Remarkably, within just one hour, Meta had addressed and resolved the issue, rewarding Sadeghipour with a generous $100,000 bug bounty.
“My assumption is that it’s something you may want to fix because it is directly inside of your infrastructure,” Sadeghipour mentioned in his report to Meta.
{TechCrunch}
Meta’s swift response included a request for Sadeghipour to “refrain from testing any further” while they worked on fixing the vulnerability. The root of the issue was traced back to a server employed by Facebook for ad creation and delivery. This server was susceptible due to a previously patched flaw in the Chrome browser, which Facebook utilized in its ad system.
- Sadeghipour exploited this unpatched bug using a headless Chrome browser—a tool run from a computer’s terminal—to interact directly with Facebook’s internal servers.
- He collaborated with independent researcher Alex Chapman in this discovery.
Delving into the complexity of online advertising platforms, Sadeghipour explained why these systems are prime targets for vulnerabilities. “There’s so much that happens in the background of making these ‘ads’—whether they are video, text or images,” he noted. “At the core of it all, it’s a bunch of data being processed on the server-side, opening doors to numerous vulnerabilities.”
“What makes this dangerous is this was probably a part of an internal infrastructure,” emphasized Sadeghipour. “With remote code execution vulnerabilities, you can bypass limitations and directly pull information from the server and other machines it accesses.”
{TechCrunch}
Sadeghipour disclosed that although he didn’t explore all possibilities within the Facebook server, the potential risks were evident. Meta spokesperson Nicole Catalano acknowledged receiving TechCrunch’s request for comment but did not provide one by press time. Furthermore, Sadeghipour revealed that similar vulnerabilities exist in other companies’ ad platforms he has examined.
