In October 2024, security researcher Ben Sadeghipour uncovered a critical vulnerability in Facebook’s ad platform, enabling him to execute commands on the internal server managing the system, TechCrunch reports.
The flaw, which was linked to an unpatched issue in the Chrome browser integrated into Facebook’s ad infrastructure, could grant malicious actors control over the server. Upon reporting the issue, Meta, Facebook's parent company, resolved the vulnerability within an hour and awarded Sadeghipour $100,000 through its bug bounty program.
The vulnerability exploited a headless Chrome browser, allowing direct interaction with Meta's internal servers. Sadeghipour refrained from further testing but warned of the risks such flaws pose, given their access to internal infrastructures. He highlighted the potential to bypass limitations and retrieve data from interconnected machines. Meta acknowledged the report but provided no public comment. Sadeghipour emphasized that similar vulnerabilities might exist in other ad platforms due to the complex server-side data processing involved in creating advertisements, underscoring the broader risks to online advertising systems.