Facebook rewards a researcher with $100,000 for discovering a bug that provided internal access.

In October 2024, security researcher Ben Sadeghipour discovered a significant security vulnerability in Facebook’s ad platform. This flaw allowed him to execute commands on the internal server, essentially gaining control over it. After promptly reporting the issue to Meta, the parent company of Facebook, the vulnerability was quickly fixed within an hour. As a result, Sadeghipour received a bug bounty payout of $100,000 from Facebook.

The vulnerability stemmed from an unpatched bug in one of the servers used by Facebook for ad creation and delivery, which was susceptible to a known flaw in the Chrome browser. This allowed Sadeghipour to exploit the vulnerability using a headless Chrome browser, enabling direct interaction with Facebook’s internal servers. The researcher highlighted the inherent risks present in online advertising platforms due to the complex processes involved in serving ads, making them attractive targets for cyber attacks.

Despite gaining access to Facebook’s server, Sadeghipour refrained from exploring further, recognizing the potential dangers associated with unauthorized access to an internal infrastructure. He emphasized that similar vulnerabilities likely exist in ad platforms operated by other companies, underscoring the need for comprehensive security measures across the industry.

Overall, the incident serves as a reminder of the critical importance of promptly addressing security vulnerabilities to safeguard sensitive data and prevent potential cyber threats.