Facebook has awarded a security researcher a whopping $100,000 for discovering a critical vulnerability in the company’s ad platform that granted internal access to a server. This bug, found by Ben Sadeghipour, allowed him to run commands on the internal Facebook server housing the ad platform, giving him control of the server.
Meta reportedly fixed the issue within one hour of being reported by Ben Sadeghipour, raising questions about the effectiveness of Facebook’s bug bounty program. While the quick response is commendable, it also highlights the severity of the vulnerability and the potential risks it poses to users.
Part of Ben Sadeghipour’s report to Meta says, and I quote: “My assumption is that it’s something you may want to fix because it is directly inside of your infrastructure.”
Meta responded to his report, telling Sadeghipour to “refrain from testing any further” while they fix the vulnerability.
Sadeghipour, who found the Facebook vulnerability working with independent researcher Alex Chapman.
This is not an isolated incident, as another researcher, Sayed Abdelhafiz, was awarded $10,000 in 2020 for finding a vulnerability in the download feature of Facebook’s Android app that could be exploited to launch remote code execution (RCE) attacks. Facebook’s Android app uses two methods of downloading files from a group: a built-in Android service called DownloadManager and a second method called Files Tab.
Security researcher Sayed Abdelhafiz discovered a path traversal flaw in the second method.
The fact that these vulnerabilities exist in the first place is a cause for concern. It begs the question: how many other critical bugs are lurking in Facebook’s systems, waiting to be discovered? The company’s bug bounty program is a step in the right direction, but it’s unclear whether it’s enough to ensure the security and privacy of Facebook’s users.
As Facebook continues to grow and evolve, it’s essential that the company prioritizes security and transparency. This includes being more proactive in identifying and addressing vulnerabilities and being more open with users about their platform’s potential risks and consequences.
