A researcher receives the top prize for finding a Facebook bug that could unlock the gateways to its internal systems

A security flaw in Facebook’s advertising platform has been fixed by Meta
The researcher who discovered this vulnerability received a $100,000 reward
The vulnerability allowed the researcher to successfully take control of the Facebook server

Meta has awarded cybersecurity researcher Ben Sadeghipour a $100,000 bug bounty after he discovered a vulnerability in Facebook’s advertising platform in October 2024.

The flaw allowed Sadeghipour to run commands on the internal Facebook server that hosted the platform, giving him control of the server.

According to Sadeghipour, the unpatched bug allowed him to take over the server using the headless Chrome browser, which is the version browser users boot from a computer terminal to directly interact with Facebook’s internal servers.

Part of a broader researcher

The platform flaw was linked to a server that Facebook used to create and deliver ads, and which was vulnerable to a previously patched vulnerability in the Chrome browser that Facebook uses in its advertising system.

Sadeghipour he said TechCrunch online advertising platforms are attractive targets because “there is so much going on in the background of creating these ‘ads’ – whether they are video, text or image files.”

“But at the heart of it all is a collection of data processed on the server side, which opens the door to a multitude of vulnerabilities,” Sadeghipour said.

The researcher confirms that he did not test everything he could once he was on the server, although “the dangerous thing is that it was probably part of the internal infrastructure.”

Sadeghipour said that after reporting the vulnerability to Meta, it took just an hour to fix the bug, noting that its discovery was part of “ongoing research into a specific application with a specific purpose.” Specifically, it took him several hours to identify this flaw, but Meta worked with him to quickly patch the bug and offered a reward that “far exceeded” expectations, he confirmed in Post on LinkedIn.

The number of bug bounties has increased recently, including: Google is dramatically increasing its rewards for researchers participating in the program, making security research increasingly profitable.