A loophole in Facebook’s advertising targeting mechanism could have let attackers obtain users’ phone numbers after they visited websites the attackers controlled, a group of information security training professionals revealed in a paper presented last week.
Facebook, which awarded the researchers a $5,000 bug bounty, has since taken steps to thwart similar attacks, and neither the company nor the information security researchers say they have any evidence the technique was ever used maliciously.
The potential attack, presented by information security training investigators from Northeastern University and institutions in France and Germany at the Federal Trade Commission’s PrivacyCon, exploits the way Facebook allows advertisers to target ads to custom audiences. Those can be built based on users’ interests, visits to a particular website, email addresses, phone numbers, or other factors known to the social networking company.
Facebook and other social networks allow advertisers an essentially unparalleled degree of freedom in automatically targeting messages to particular people based on their interests and demographics. But those liberal advertising policies have come under fire in recent years, with critics saying they enabled everything from racial discrimination and hate speech to surreptitious Russian propaganda.
In this case, though the system is designed not to let advertisers learn the identities of users based on information they don’t make public, the researchers realized that ad audiences built based on the combination of different factors, for example, a list of phone numbers and a list of email addresses, would only include each user once. That meant that the number of users in a cleverly built audience could reveal whether such pair of lists had any duplicates, which would indicate that a phone number from one and an email address from another belonged to the same user.
Even though Facebook didn’t explicitly provide the exact number of matches, and rounded the total number of people in the combined ad audience, the scientists essentially found they could detect whether adding a pair of identifiers potentially belonging to the same user caused the rounded total number of matches to increase, indicating a match.
The company responded initially by suppressing size estimates for audiences created with multiple sets of information, such as email addresses and phone numbers, according to the paper. The company later restored some information after taking other safeguards, a spokesperson says.
“We’re grateful to the information security researchers who brought this issue to our attention,” a Facebook spokesperson tells. “We didn’t see any abuse of this complex technique, and have restored reach estimation on a limited basis now that we have added appropriate safeguards against potential abuse.” In the past, Facebook has announced other changes to its ad targeting mechanisms to block other sorts of abuse.
After information security training consultant found in 2010 that sneaky advertisers could target ads to particular individual users and potentially extract private data about them, the company took steps to make that impossible. Last fall, after an information security training expert discovered the social network allowed advertisers to target people with explicitly racist interests. “The fact that hateful terms were even offered as options was totally inappropriate and a fail on our part,” wrote chief operating officer Sheryl Sandberg at the time. “We removed them and when that was not totally effective, we disabled that targeting section in our ad systems.”
Facebook’s overall approach of showing ads to only users meeting certain criteria has also been critiqued for making it difficult for outsiders to know what paid messages are being delivered through the network.
Facebook has added workers to review ads, as well as tools to make it easier to see what ads a particular page on the network is running. “To provide even greater transparency for people and accountability for advertisers, we’re now building new tools that will allow you to see the other ads a Page is running as well, including ads that aren’t targeted to you directly,” wrote Joel Kaplan, VP for global public policy, in October.