Researcher Finds Critical Facebook Server Flaw, Warns Other Platforms May Be at Risk

Share post:

Security researcher Ben Sadeghipour recently discovered a critical vulnerability in Meta’s Facebook ad platform that allowed him to run commands on an internal server, effectively giving him control of the server. The vulnerability underscores the security risks inherent in online ad systems, which handle vast amounts of sensitive data and are increasingly becoming attractive targets for hackers.

Sadeghipour uncovered the flaw in October 2024 while analyzing Facebook’s ad platform. He found that a server used for creating and delivering ads was vulnerable to a previously patched flaw in the Chrome browser, which Facebook still utilized in its system. By using a headless Chrome browser — a version of the browser that runs from the command line without a graphical interface — Sadeghipour was able to interact directly with Facebook’s internal servers.

After discovering the issue, Sadeghipour reported it to Meta, which fixed the vulnerability within an hour and awarded him a $100,000 bug bounty. According to the researcher, Meta responded quickly, instructing him to “refrain from further testing” while they resolved the issue.

How the Vulnerability Worked

The vulnerability exploited by Sadeghipour stemmed from a previous Chrome browser flaw. Facebook’s ad platform, which relies on server-side data processing, still used this unpatched version in its infrastructure. This allowed Sadeghipour to achieve remote code execution (RCE) on the server, a significant breach that could have been used to pull sensitive data or access other machines within Facebook’s network.

The flaw posed a serious risk because the server was part of Facebook’s internal infrastructure. “What makes this dangerous is this was probably a part of an internal infrastructure,” Sadeghipour told TechCrunch. He explained that with RCE capabilities, attackers could bypass many security controls and potentially access other critical systems.
Ad Platforms: A Juicy Target for Hackers

Sadeghipour emphasized that online advertising platforms are prime targets for hackers due to the amount of data they process. These platforms handle video, text, and image ads, all of which require server-side processing. This opens up multiple attack vectors for hackers to exploit.

“There’s so much that happens in the background of making these ‘ads’ — whether they are video, text, or images,” Sadeghipour explained. “At the core of it all, it’s a bunch of data being processed on the server-side, and it opens up the door for a ton of vulnerabilities.”
The researcher warned that similar ad platforms run by other companies could be vulnerable to the same type of attacks. He noted that many ad delivery systems use similar underlying technologies, making them susceptible to known browser vulnerabilities or server-side flaws.

A Warning to Other Platforms

Sadeghipour’s discovery isn’t just a cautionary tale for Meta; it serves as a warning to the entire industry. The ad tech ecosystem, which powers digital marketing campaigns across the web, could be riddled with similar vulnerabilities. Companies that manage ad platforms must ensure their systems are patched and up-to-date, particularly when it comes to server-side components that handle critical user data.

As Sadeghipour pointed out, the risk isn’t limited to a single company. “Since we have code execution, we could’ve interacted with any of the sites within that infrastructure,” he said. His research highlights the importance of ongoing security testing to prevent future breaches.

With billions of dollars flowing through online ad platforms, the potential for exploitation by cybercriminals is significant. Other ad platforms need to take note and proactively address security risks before they become the next high-profile target.

SUBSCRIBE NOW

Related articles

FBI’s Operation Level Up Ends Cyber Scams and Saves Millions of Dollars and Lives

We should send a love note out to The Federal Bureau of Investigation (FBI) who launched Operation Level...

Thomson Reuters Wins Landmark AI Copyright Case Against Ross Intelligence

In a significant legal development, Thomson Reuters has secured a victory in the first major U.S. copyright case...

DOGE’s Teen Hacker Stirs Concern Over Musk Team’s Access to Federal Databases

A 19-year-old named Edward “Big Balls” Coristine has raised red flags after Wired revealed he holds a key...

Deep Seek and Open Source AI – Without the Hype: Discussion with Robert Falzon, Head of Engineering, Check Point

DeepSeek AI is shaking up the cybersecurity world—are we prepared for the risks? Join host Jim Love and...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways