In October 2024, security researcher Ben Sadeghipour discovered a critical vulnerability in Facebook's ad platform that allowed him to execute commands on an internal Facebook server, effectively granting him server control. Upon reporting the issue, Meta fixed it within an hour and awarded Sadeghipour $100,000 as part of their bug bounty program.
The vulnerability stemmed from an unpatched flaw in the Chrome browser used in Facebook's ad system, which Sadeghipour exploited via a headless Chrome browser to access internal servers. He emphasized that online ad platforms are particularly prone to vulnerabilities due to the complexity of server-side data processing.
Sadeghipour refrained from fully testing the server's capabilities but highlighted the potential risks of remote code execution, such as accessing other machines within the same infrastructure. He noted that similar vulnerabilities might exist in ad platforms of other companies. Meta declined to comment further on the incident.
