Facebook Rewards Researcher $100,000 for Discovering Vulnerability with Internal Access Potential

Facebook Rewards Researcher $100,000 for Discovering Vulnerability with Internal Access Potential

In October 2024, security researcher Ben Sadeghipour discovered a significant security vulnerability in Facebook’s ad platform, allowing him to execute commands on an internal server. This breach essentially granted him control over critical server infrastructure, raising alarms about the security of online advertising platforms.

Discovery of the Vulnerability

While analyzing Facebook’s ad system, Sadeghipour identified a flaw that had previously been addressed in the Chrome browser. This unpatched vulnerability was particularly concerning as it enabled him to hijack Facebook’s ad server using a headless Chrome browser, a version of the browser that operates from the computer’s terminal.

Quick Response from Meta

Upon reporting the issue to Meta, the parent company of Facebook, Sadeghipour received a swift response. Meta reportedly fixed the vulnerability within just one hour of notification. In recognition of his timely discovery, the social media giant awarded him a $100,000 bug bounty payout.

Details of the Security Risk

Sadeghipour emphasized the risks associated with such vulnerabilities in online advertising platforms. He noted that these systems process vast amounts of data on the server-side, creating potential entry points for malicious actors. He stated:

  • “There’s so much that happens in the background of making these ‘ads’ — whether they are video, text, or images.”
  • “What makes this dangerous is this was probably a part of an internal infrastructure.”

Potential Impact of the Breach

With remote code execution capabilities, attackers could bypass security limitations and access sensitive information from the server and other interconnected systems. Sadeghipour expressed concerns about the implications of such vulnerabilities:

  • “We could’ve interacted with any of the sites within that infrastructure.”
  • “This opens up the door for a ton of vulnerabilities.”
READ ALSO  Google Patches Critical Chrome Zero-Day Vulnerability Targeting Journalists in Recent Hacking Campaign

Wider Implications for Online Advertising

Beyond Facebook, Sadeghipour indicated that similar vulnerabilities exist in other online advertising platforms he has been analyzing. This revelation highlights the need for robust security measures across the industry to safeguard sensitive data.

Conclusion

The quick action taken by Meta in response to Sadeghipour’s findings underscores the importance of vigilant security practices in the tech industry. As online advertising continues to evolve, both researchers and companies must remain proactive in identifying and resolving potential security threats.

For more information on online security vulnerabilities, visit CISA Alerts or check out our article on Cybersecurity Best Practices.

Similar Posts

Transform Your Selfies into Fun Stickers with WhatsApp's New Feature!

New Victim Emerges: Paragon Spyware Strikes Again!

Bysupport

Beppe Caccio, co-founder of Mediterranea Saving Humans, has revealed he was targeted in a spyware campaign linked to the Israeli company Paragon, following a similar disclosure by colleague Luca Casarini. Both activists received notifications from WhatsApp about the attacks, raising concerns over privacy and safety. Casarini has filed a complaint with the Prosecutor’s Office in Palermo to identify those responsible. Previous victims include journalist Francesco Cancellato and Libyan activist Husam El Gomati. Despite the Italian government’s denial of involvement, the campaign reportedly targeted around 90 individuals across multiple countries. Investigations are ongoing, with Paragon and the government yet to respond.

Genea Confirms Data Breach: Australian IVF Leader Targeted in Cyberattack

Genea Confirms Data Breach: Australian IVF Leader Targeted in Cyberattack

Bysupport

Genea IVF, a major Australian fertility treatment provider, has reported a significant cybersecurity incident affecting patient services and potentially compromising sensitive information. Following inquiries from ABC, Genea engaged crisis management firm Porter Novelli and confirmed they are urgently investigating the breach. The company has experienced disruptions, including outages in phone lines and the temporary shutdown of the MyGenea app. While Genea has not disclosed what specific data was accessed, they collect sensitive health information. They assure patients that they are committed to transparency and will inform affected individuals if any personal information is compromised.

Skype's Shutdown: Celebrating Its Legacy of Mass Adoption of End-to-End Encryption

Skype’s Shutdown: Celebrating Its Legacy of Mass Adoption of End-to-End Encryption

Bysupport

On March 5, 2012, Egyptian revolutionaries stormed the State Security Investigations headquarters in Cairo, revealing evidence of torture and surveillance, including documents and the hacking software FinFisher from Gamma International. This tool could access emails, upload spyware, and monitor communications, compromising user privacy. Skype, launched in 2003 with end-to-end encryption, was initially celebrated for its security but faced scrutiny from law enforcement and was later modified by Microsoft to allow NSA surveillance, undermining its encryption claims. Microsoft announced plans to shut down Skype on May 5, 2025, as its user base dwindles, though its encryption legacy continues in modern apps.

Meta Unveils 'Project Waterworth': A Groundbreaking 50,000 km Global Subsea Cable Initiative

Meta Unveils ‘Project Waterworth’: A Groundbreaking 50,000 km Global Subsea Cable Initiative

Bysupport

Meta has launched Project Waterworth, an ambitious subsea cable initiative aimed at enhancing global connectivity and improving its digital services for billions of users. Spanning 50,000 kilometers, it will be the world’s longest subsea cable, connecting five continents with landing points in the U.S., Brazil, India, South Africa, and more. The project focuses on India and aims to boost AI services globally. Utilizing innovative technology, including 24 fiber pair cables and advanced burial techniques, it addresses geopolitical challenges. Supported by a U.S.-India cooperation agreement, Project Waterworth represents Meta’s largest investment in subsea infrastructure, following its ownership of 16 existing networks.

Unlocking Secrets: Accessing Private GitHub Repos Through Copilot Despite Previous Exposure

Unveiling Hidden Gems: Accessing Private GitHub Repositories Through Copilot

Bysupport

Security researchers are highlighting risks linked to data exposure in generative AI chatbots like Microsoft Copilot. A cybersecurity firm, Lasso, uncovered that thousands of previously public GitHub repositories from major corporations, including Microsoft, remain accessible due to Bing’s indexing. This allows sensitive content to be retrievable via Copilot even after repositories are made private. Over 20,000 private repositories, impacting over 16,000 organizations, still have exposed data, including intellectual property and access tokens. Lasso has advised affected companies to revoke compromised keys. Microsoft has downplayed the issue, classifying it as “low severity,” yet the risk of data exposure persists.

Paragon Spyware Unveils New Target: Latest Developments in Cybersecurity Threats

Paragon Spyware Unveils New Target: Latest Developments in Cybersecurity Threats

Bysupport

Mediterranea Saving Humans, an Italian nonprofit focused on rescuing migrants, announced that its founder, Luca Casarini, was targeted in a spyware campaign aimed at WhatsApp users. The spyware, developed by Israeli startup Paragon Solutions, affected around 90 individuals, including activists and journalists challenging Italy’s far-right government. Mediterranea expressed concerns about potential government involvement in the operation. While Paragon’s U.S. subsidiary claimed a zero-tolerance policy against targeting civil society figures, they did not clarify if the Italian government is a client. The Citizen Lab is investigating Casarini’s phone for spyware, underscoring the risks associated with the surveillance industry.