Pierluigi Paganini January 12, 2025

Facebook paid $100,000 to a researcher for discovering a bug that granted him command access to an internal server in October 2024.

TechCrunch first reported that Facebook awarded security researcher Ben Sadeghipour (@NahamSec) $100,000 for reporting a vulnerability that granted him access to an internal server.

The researcher emphasized the vulnerability of online ad platforms due to extensive server-side data processing, which can expose multiple security issues.

The expert discovered the flaw in October 2024 while probing Facebook’s ad platform. He exploited the bug to execute commands on an internal company server, effectively taking control of it.

Sadeghipour reported the bug to Meta through the company bug bounty program and the social media giant immediately acknowledged the issue, and addressed it.

The flaw stemmed from Facebook’s ad server using an unpatched Chrome version, allowing Sadeghipour to hijack it via a headless Chrome browser.

“The issue, according to Sadeghipour, was that one of the servers that Facebook used for creating and delivering ads was vulnerable to a previously fixed flaw found in the Chrome browser, which Facebook uses in its ads system.” reported TechCrunch. “Sadeghipour said this unpatched bug allowed him to hijack it using a headless Chrome browser (essentially a version of the browser that users run from the computer’s terminal) to interact directly with Facebook’s internal servers.” 

The researcher did not continue testing all possible implications of exploiting the flaw because, as soon as he reported it to Meta, the company acknowledged the issue and asked him to suspend activities to allow for bug fixing.

Suck kinds of vulnerabilities potentially allow threat actors to compromise multiple components of internal infrastructure of the company. Other organizations could suffered similar issues.

Sadeghipour made the headlines for other important disclosures, in October 2020 he was part of a team of researchers that received hundreds of thousands of dollars in bug bounties for reporting 55 vulnerabilities as part of the Apple bug bounty program.

A team of researchers composed of Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes reported a total of 55 flaws to Apple as part of the company bug bounty program.

The flaws were all covered by Apple’s bug bounty program, 11 vulnerabilities have been rated critical and 29 rated high severity.

Apple addressed some of the flaws a few hours after they were reported by the researchers.

The researchers already received for these issues 32 payrolls for a total of $288,500 but likely will receive more for the other flaws reported.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)