Researcher nets major reward for finding Facebook bug able to unlock the gates to its internal systems

(Image credit: Luca Sammarco/Pexels)

A security flaw found in Facebook's ad platform has been fixed by Meta
The researcher who discovered the flaw was awarded a $100,000 bug bounty
The flaw allowed the researcher to effectively take control of a Facebook server

Meta has awarded cybersecurity researcher Ben Sadeghipour a bug bounty of $100,000 after he discovered a security vulnerability on Facebook’s ad platform in October 2024.

The flaw allowed Sadeghipour to run commands on the internal Facebook server which housed the platform, giving him control of the server.

According to Sadeghipour, the unpatched bug allowed him to hijack the server using a headless Chrome browser, which is a version of the browser users run from the computer’s terminal, to interact with Facebook’s internal servers directly.

Part of wider researcher

The flaw in the platform was connected to a server that Facebook used to create and deliver ads, which was vulnerable to a previously fixed flaw found in the Chrome browser, which Facebook uses in its ad system.

Sadeghipour told TechCrunch online advertising platforms are attractive targets because “there’s so much that happens in the background of making these ‘ads’ — whether they are video, text, or images.”

“But at the core of it all it’s a bunch of data being processed on the server-side and it opens up the door for a ton of vulnerabilities,” Sadeghipour said.

The researcher confirms he didn’t test out everything he could have once he was inside the server, although “what makes this dangerous is this was probably a part of an internal infrastructure.”

After reporting the vulnerability to Meta, the bug took just an hour to fix, Sadeghipour said, noting his discovery was part of ‘ongoing research on a specific application with a specific purpose’. This flaw in particular took him a few hours to identify, but Meta worked with him to quickly patch the bug and offered a bounty that was ‘way beyond’ expectations, he confirmed in a LinkedIn post.

Bug bounties have been on the rise recently, with Google drastically increasing its rewards for researchers who participate in the program, so security research is getting more lucrative.

Take a look at our pick of the best malware removal software around
Researchers hijack thousands of backdoors thanks to expired domains
Check out our choices for best antivirus software

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.