Meta has paid $100,000 to independent cybersecurity researcher Ben Sadeghipour for discovering a serious vulnerability in the platform. While analyzing the ad serving system, Sadeghipour found a flaw that allowed him to execute a command in a closed part of Facebook’s server infrastructure, effectively granting full control over the server. As reported by TechCrunch, the vulnerability was connected to one of the servers used by Facebook to create and display ads.
This particular server was impacted by a previously known and fixed bug in the Chrome browser, which Facebook employs in its advertising system. According to Sadeghipour, by using a lightweight version of the Chrome browser launched through the terminal, he could interact with the company’s internal servers and gain the ability to manage them as an administrator. In his letter to Meta, the researcher explained the severity of this security gap, noting it was “right inside your infrastructure” and therefore required immediate attention.
Meta responded swiftly and asked Sadeghipour to halt any further testing until the issue was resolved. Impressively, the fix was implemented in just one hour. The urgency of the response reflected Meta’s understanding of the risk: if left unaddressed, the vulnerability could have granted unauthorized access to critical systems.
Swift Response and Wider Implications
Sadeghipour also emphasized the broader danger posed by this discovery. Although he did not test every possible function available within Facebook’s infrastructure, he warned that this vulnerability could potentially grant access to other sites and systems under Meta’s purview. “With the help of a remote code execution vulnerability, it is possible to bypass restrictions and directly extract data from both the server itself and other devices to which it is connected,” he explained. In other words, once an attacker gained a foothold, the potential for data extraction or manipulation could extend well beyond the initial entry point.
Meta declined to comment directly when contacted by journalists, but confirmed that the bug had indeed been fixed, adds NIX Solutions. Sadeghipour added that similar security issues exist at other companies with advertising platforms he has tested, suggesting that the industry as a whole should remain vigilant. Security researchers, like Sadeghipour, continue to play a vital role in uncovering these vulnerabilities before they can be exploited by malicious actors.
In his letter, Sadeghipour reportedly provided a clear outline of the flaw, explaining exactly how it could be replicated and the risks it posed to Meta’s systems. While the exact details remain private, his work underscored the importance of routine security checks, particularly for systems that rely heavily on third-party components or integrations such as embedded browsers. The fact that a bug previously fixed in Chrome was still exploitable in Meta’s ad infrastructure highlights how intricate server setups can sometimes reintroduce or overlook known issues.
We encourage everyone to stay aware of ongoing security developments, and we’ll keep you updated as more information becomes available regarding similar vulnerabilities. Cybersecurity requires constant collaboration between researchers and platform owners, and this case illustrates just how effective that partnership can be when vulnerabilities are quickly identified, reported, and patched.
By acting decisively and compensating Sadeghipour for his findings, Meta has demonstrated its commitment to maintaining a robust security posture. Still, as Sadeghipour points out, such vulnerabilities can arise in other environments—reminding us that regular testing and responsible disclosure remain essential parts of modern cybersecurity.