In October 2024, safety researcher Ben Sadeghipour was analyzing Facebook’s advert platform when he discovered a safety vulnerability that allowed him to run instructions on the interior Facebook server housing that platform, primarily giving him management of the server.
After he reported the vulnerability to Facebook’s proprietor Meta, which Sadeghipour mentioned took only one hour to repair it, the social networking big awarded him $100,000 in a bug bounty payout.
“My assumption is that it’s one thing it’s possible you’ll need to repair as a result of it’s immediately within your infrastructure,” Sadeghipour wrote within the report he despatched to Meta, he instructed TechCrunch. Meta responded to his report, telling Sadeghipour to “chorus from testing any additional” whereas they repair the vulnerability.
The situation, based on Sadeghipour, was that one of many servers that Facebook used for creating and delivering advertisements was weak to a beforehand mounted flaw discovered within the Chrome browser, which Facebook makes use of in its advertisements system. Sadeghipour mentioned this unpatched bug allowed him to hijack it utilizing a headless Chrome browser (primarily a model of the browser that customers run from the pc’s terminal) to work together immediately with Facebook’s inner servers.
Sadeghipour, who discovered the Facebook vulnerability working with impartial researcher Alex Chapman, instructed TechCrunch that internet marketing platforms make for juicy targets as a result of, “there’s a lot that occurs within the background of constructing these ‘advertisements’ — whether or not they’re video, textual content or photographs.”
“But on the core of all of it it’s a bunch of knowledge being processed on the server-side and it opens up the door for a ton of vulnerabilities,” mentioned Sadeghipour.
The researcher mentioned he didn’t check out all the things he might have executed as soon as contained in the Facebook server, however “what makes this harmful is that this was most likely part of an inner infrastructure.”
“Since now we have code execution, we might’ve interacted with any of the websites inside that infrastructure,” mentioned Sadeghipour. “With an [remote code execution vulnerability], you may bypass a few of these limitations and likewise immediately pull stuff from the server itself and the opposite machines that it has entry to.”
Meta spokesperson Nicole Catalano acknowledged receipt of TechCrunch’s request for remark, however didn’t remark by press time.
Sadeghipour additionally mentioned that comparable advert platforms that different corporations run, and which he has been analyzing, are weak to comparable vulnerabilities.
