Meta✴ paid $100,000 to independent cybersecurity specialist Ben Sadeghipour for discovering a serious vulnerability in the platform. While analyzing the ad serving system, Sadeghipour found a flaw that allowed him to execute a command in a private part of Facebook’s server infrastructure✴, effectively gaining full control of the server.
Image source: Shutter Speed / Unsplash
As reported by TechCrunch, the vulnerability was associated with one of the servers used by Facebook✴ to create and display ads. This server was affected by a previously known and fixed bug in the Chrome browser, which Facebook✴ uses in its advertising system. Sadeghipour explained that by using a light version of the Chrome browser, launched through a terminal, he was able to interact with the company’s internal servers and gain access to manage them as an administrator.
«I assumed that this was a critical vulnerability that was worth fixing since it was located right inside your infrastructure,” Sadeghipour wrote in his email to Meta✴. The company quickly responded to the situation and asked the researcher to refrain from further testing until the problem was resolved. The fix took only one hour.
Sadeghipour also emphasized the danger of the discovered error. While he did not test all possible functionality that could be exploited from within Facebook’s infrastructure✴, he did caution that the vulnerability could potentially allow access to other sites and systems within the company’s infrastructure. “Using a remote code execution vulnerability, you can bypass restrictions and directly extract data both from the server itself and from other devices to which it is connected,” he explained.
Meta✴ refused to provide a comment at the request of journalists, but the fact that the bug was fixed was confirmed. Sadeghipour also added that similar problems exist with other companies whose advertising platforms he tested.