In October 2024, security researcher Ben Sadeghipour was analyzing Facebook's advertising platform when he discovered a security vulnerability that allowed him to execute commands on the internal Facebook servers that housed the platform, effectively You can now control the server.
Sadeghipour reported the vulnerability to Facebook owner Mehta, who said it took only an hour to fix, and the social networking giant awarded him $100,000 in bug bounties. .
“My guess is that this is directly inside the infrastructure and may need to be fixed,” Sadeghipour wrote in a report sent to Meta, which he told TechCrunch . Mehta responded to his report and told Sadeghipour to “refrain from further testing” while the vulnerability was fixed.
The problem, Sadeghipour said, was that one of the servers Facebook used to create and serve ads was vulnerable to a previously fixed flaw found in the Chrome browser that Facebook uses for its ad system. That's true. Sadeghipour said the unpatched bug allowed him to use a headless Chrome browser (basically the version of the browser that users run from a terminal on their computer) to hijack the bug and connect directly to Facebook's internal servers. He said it was now possible to have a dialogue.
Sadeghipour, who worked with independent researcher Alex Chapman to discover Facebook's vulnerabilities, told TechCrunch that online advertising platforms are easy targets for “advertising, whether it's video, text or images. There's so much going on in the background of creating it.” ”
“But at the heart of it all is the large amount of data processed on the server side, which opens the door to a large number of vulnerabilities,” Sadeghipour said.
The researchers said they hadn't tested everything that could have been done within the Facebook servers, but “what makes this dangerous is that this was likely part of the internal infrastructure.” spoke.
“Because it could execute code, it could have interacted with any site within that infrastructure,” Sadeghipour said. ” [remote code execution vulnerability]you can also circumvent some of these limitations and retrieve data directly from the server itself or from other machines that the server has access to. ”
Meta spokesperson Nicole Catalano acknowledged receiving TechCrunch's request for comment, but did not comment as of press time.
Sadeghipour also said similar advertising platforms run by other companies that he analyzes are also vulnerable to similar vulnerabilities.