In a stunning revelation, security researcher Ben Sadeghipour has uncovered a critical vulnerability in Facebook's ad platform, which could have given attackers control of the social media giant's internal servers. The discovery, made in October 2024, earned Sadeghipour a $100,000 bug bounty payout from Facebook's parent company, Meta.

The vulnerability, which was quickly fixed by Meta within an hour of reporting, allowed Sadeghipour to run commands on Facebook's internal server housing the ad platform. This level of access could have enabled malicious actors to manipulate the platform, compromise user data, and wreak havoc on the social network.

Sadeghipour's discovery was made possible by an unpatched bug in the Chrome browser, which Facebook uses in its ads system. The researcher exploited this vulnerability using a headless Chrome browser, allowing him to interact directly with Facebook's internal servers. This highlights the importance of keeping software up-to-date and patching known vulnerabilities to prevent exploitation.

The researcher, who collaborated with independent researcher Alex Chapman, emphasized that online advertising platforms are particularly vulnerable to attacks due to the complex processes involved in creating and delivering ads. "There's so much that happens in the background of making these 'ads' — whether they are video, text or images," Sadeghipour told TechCrunch. "But at the core of it all, it's a bunch of data being processed on the server-side, and it opens up the door for a ton of vulnerabilities."

Sadeghipour's findings have significant implications for the online advertising industry as a whole. The researcher believes that similar ad platforms run by other companies are likely vulnerable to similar attacks, highlighting the need for increased vigilance and security measures in this space.

Meta spokesperson Nicole Catalano acknowledged receipt of TechCrunch's request for comment but did not provide further information by press time. The company's swift response to the vulnerability report and subsequent bug bounty payout demonstrate its commitment to prioritizing security and collaborating with the research community.

The discovery of this critical vulnerability serves as a reminder of the importance of responsible disclosure and the role of security researchers in helping to identify and remediate vulnerabilities. As the online advertising landscape continues to evolve, it is crucial that companies prioritize security and work closely with the research community to stay ahead of potential threats.