InfoSecBulletin Cybersecurity for mankind
In October 2024, security researcher Ben Sadeghipour discovered a vulnerability in Facebook’s ad platform that allowed him to run commands on its internal server, giving him control over it. After Sadeghipour reported the vulnerability to Meta, Facebook’s parent company, it was fixed within an hour, and he received a $100,000 bug bounty.
Techcrunch reported “My assumption is that it’s something you may want to fix because it is directly inside of your infrastructure,” Sadeghipour wrote in the report he sent to Meta. Meta responded to his report, telling Sadeghipour to “refrain from testing any further” while they fix the vulnerability.
B1ack’s Stash Releases 1 Million Credit Cards on a Deep Web Forum
Cisco Confirms
Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecom Networks
AWS Key Hunter
Test this free automated tool to hunt for exposed AWS secrets
Check Point Flaw Used to Deploy ShadowPad and Ransomware
CVE-2024-12284
Citrix Issues Security Update for NetScaler Console
CISA and FBI ALERT
Ghost ransomware to breach organizations in 70 countries
Hacker chains multiple vulns to attack Palo Alto Firewall
150 Gov.t Portal affected
Black-Hat SEO Poisoning Indian “.gov.in, .ac.in” domain
CVE-2018-19410 Exposes 600 PRTG Instances in Bangladesh
Builder claims Rs 150 cr for data loss; AWS faces FIR In Bengaluru
Sadeghipour reported that a Facebook ad server was still vulnerable to a flaw in the Chrome browser that had already been fixed. This unpatched bug allowed him to take control of the server using a headless version of Chrome to directly access Facebook’s internal systems.
Sadeghipour, who found the Facebook vulnerability working with independent researcher Alex Chapman, told TechCrunch that online advertising platforms make for juicy targets because, “there’s so much that happens in the background of making these ‘ads’ — whether they are video, text, or images.”
“But at the core of it all it’s a bunch of data being processed on the server-side and it opens up the door for a ton of vulnerabilities,” said Sadeghipour.
The researcher said he didn’t test out everything he could have done once inside the Facebook server, but “what makes this dangerous is this was probably a part of an internal infrastructure.”
“Since we have code execution, we could’ve interacted with any of the sites within that infrastructure,” said Sadeghipour. “With an [remote code execution vulnerability], you can bypass some of these limitations and also directly pull stuff from the server itself and the other machines that it has access to.”
While Meta has not provided an official comment on the incident, the substantial bounty awarded underscores the significance of Sadeghipour’s finding.
Sadeghipour mentioned that similar advertising platforms used by other companies also have vulnerabilities he has been analyzing.
This incident underscores the importance of bug bounty programs in addressing security threats. Facebook’s program, launched in 2011, has paid over $16 million, reflecting the company’s dedication to cybersecurity.
