Security researcher Ben Sadeghipour recently discovered a critical vulnerability in Meta’s Facebook ad platform that allowed him to run commands on an internal server, effectively giving him control of the server. The vulnerability underscores the security risks inherent in online ad systems, which handle vast amounts of sensitive data and are increasingly becoming attractive targets for hackers.
Sadeghipour uncovered the flaw in October 2024 while analyzing Facebook’s ad platform. He found that a server used for creating and delivering ads was vulnerable to a previously patched flaw in the Chrome browser, which Facebook still utilized in its system. By using a headless Chrome browser — a version of the browser that runs from the command line without a graphical interface — Sadeghipour was able to interact directly with Facebook’s internal servers.
After discovering the issue, Sadeghipour reported it to Meta, which fixed the vulnerability within an hour and awarded him a $100,000 bug bounty. According to the researcher, Meta responded quickly, instructing him to “refrain from further testing” while they resolved the issue.
How the Vulnerability Worked
The vulnerability exploited by Sadeghipour stemmed from a previous Chrome browser flaw. Facebook’s ad platform, which relies on server-side data processing, still used this unpatched version in its infrastructure. This allowed Sadeghipour to achieve remote code execution (RCE) on the server, a significant breach that could have been used to pull sensitive data or access other machines within Facebook’s network.
The flaw posed a serious risk because the server was part of Facebook’s internal infrastructure. “What makes this dangerous is this was probably a part of an internal infrastructure,” Sadeghipour told TechCrunch. He explained that with RCE capabilities, attackers could bypass many security controls and potentially access other critical systems.
Ad Platforms: A Juicy Target for Hackers
Sadeghipour emphasized that online advertising platforms are prime targets for hackers due to the amount of data they process. These platforms handle video, text, and image ads, all of which require server-side processing. This opens up multiple attack vectors for hackers to exploit.
“There’s so much that happens in the background of making these ‘ads’ — whether they are video, text, or images,” Sadeghipour explained. “At the core of it all, it’s a bunch of data being processed on the server-side, and it opens up the door for a ton of vulnerabilities.”
The researcher warned that similar ad platforms run by other companies could be vulnerable to the same type of attacks. He noted that many ad delivery systems use similar underlying technologies, making them susceptible to known browser vulnerabilities or server-side flaws.
A Warning to Other Platforms
Sadeghipour’s discovery isn’t just a cautionary tale for Meta; it serves as a warning to the entire industry. The ad tech ecosystem, which powers digital marketing campaigns across the web, could be riddled with similar vulnerabilities. Companies that manage ad platforms must ensure their systems are patched and up-to-date, particularly when it comes to server-side components that handle critical user data.
As Sadeghipour pointed out, the risk isn’t limited to a single company. “Since we have code execution, we could’ve interacted with any of the sites within that infrastructure,” he said. His research highlights the importance of ongoing security testing to prevent future breaches.
With billions of dollars flowing through online ad platforms, the potential for exploitation by cybercriminals is significant. Other ad platforms need to take note and proactively address security risks before they become the next high-profile target.