I discovered a synchronization flaw between Instagram and Facebook’s advertising system that allows advertisers to bypass integrity enforcements. By exploiting this, a malicious actor can “clean” their violation history on a disabled Facebook Ad Account before submitting an appeal, effectively forcing a 100% reinstatement rate by hiding the evidence of their rejected ads.
What Happened?
When a Facebook Ad Account is disabled for severe policy violations, it is placed in a “Read-Only” state. This is a critical security measure: Facebook prevents you from deleting or editing the offending ads so that their review team can audit the account’s history during an appeal.
However, I found a massive oversight in how Instagram Web synchronizes with Facebook Ads Manager. Even when a Facebook Ad Account is disabled and “locked,” the Instagram web interface—specifically for ads originally created via Instagram—still allows for full management. Because the deletion command isn’t properly checked against the Facebook account’s status, an attacker can delete the very ads that caused the ban, even for high-severity violations like weapons sales.
The Impact: Integrity Manipulation
This isn’t just a technical glitch; it’s a bypass of Facebook’s advertising integrity system. By deleting the evidence, an advertiser can submit an appeal for a “clean” account. When the Facebook reviewer opens the case, they find no violating ads, leading to the automatic or manual reinstatement of accounts that should have remained banned for dangerous content.
How I Verified It
1. The Setup: I used a Facebook Ad Account that was disabled due to 13 rejected ads that clearly showed weapons. Crucially, these ads were originally created and boosted via Instagram.
2. The Appeal Screen: I logged into the Facebook Ads Manager and navigated to the Submit Appeal screen. Facebook clearly listed all 13 weapon-related ads on this screen as the primary evidence for the account being disabled.
3. The Exploit (The Bypass): While keeping the appeal screen open in one tab, I logged into the linked Instagram account via instagram.com in another. I navigated to the Ad Tools section.
4. The Action: Despite the Facebook Ad Account being in a restricted state, Instagram Web allowed me to select those 13 rejected ads and hit Delete.
5. Synchronization: The deletion command successfully propagated to the Facebook Ads Manager backend.
6. The Result: I returned to the Ads Manager appeal screen and refreshed the page. All 13 ads—the evidence of weapons violations—had completely disappeared from the list.
7. Campaign Deletion: Furthermore, I checked the Ads Manager Campaigns list. All campaigns associated with those Instagram boosts were successfully deleted from the account history as well.
8. The Final Proof: I submitted the appeal for the now-“clean” account. The appeal was successfully approved, and the account was reinstated because the review team found no evidence of the original violations.
Why It’s Dangerous
This vulnerability allows bad actors to operate with impunity. They can run prohibited ads for dangerous items, and if they get caught, they simply “wipe the slate clean” and get their account back. It undermines the entire manual review process by allowing the “defendant” to destroy the evidence before the “judge” sees it.
The flaw exists because Facebook failed to apply a global “Read-Only” lock across all endpoints that can trigger ad deletions, specifically missing the Instagram web interface.
Resolution and Fix
After discovering the vulnerability, I reported it through Meta’s Bug Bounty Program, providing detailed reproduction steps and a proof-of-concept video. Meta acknowledged the issue and implemented a fix to secure the system.
