Facebook tells users that giving the company their mobile phone number will help keep their account secure. Until a few weeks ago, however, the social network’s self-service ad-targeting tools could be massaged into revealing a Facebook user’s cellphone number from their email address. The same flaw made it possible to collect phone numbers for Facebook users who had visited a particular webpage.
Facebook fixed the problems on Dec. 22, and paid a “bug bounty” of $5,000 to the team of academic researchers from the US, France, and Germany who had reported the problem at the end of May.
The potential to access users’ phone numbers was a clear breach of Facebook’s data-use policy. It states: “We do not share information that personally identifies you … with advertising, measurement or analytics partners unless you give us permission.”
Facebook says it has no evidence anyone took advantage of the flaw to obtain user phone numbers. It wasn’t easy to exploit. But the incident illustrates a tricky trade-off at the heart of the company’s business model, says Neil Gong, a professor at Iowa State who works on social-network privacy and wasn’t involved in the research.
Software flaws are not uncommon in technology. For Facebook, however, the hazards of accidental slip-ups are magnified by its need to both convince consumers to entrust their personal data, and simultaneously provide advertisers ways to leverage that same data.
That creates different risks to those of more conventional data-hoarding companies, such as credit bureaus. While those companies typically work with select corporate clients, anyone can sign up to run ads on Facebook and tap the abundant data from its users.
“There have been data brokers for years but typically to get access to that data you had to sign a contract with them,” says Alan Mislove, a professor at Northeastern who worked on the project that exposed the problem. “Facebook and Google are de facto data brokers—they don’t sell data but they are making that data available in indirect ways to a wide range of people.”
Mislove worked with others from French research institutions EURECOM and University of Grenoble Alpes, and the Max Planck Institute for Software Systems in Germany. The group will present its findings at a security conference in May.
The researchers exploited one of Facebook’s self-serve ad-targeting products called Custom Audiences. It allows advertisers to upload lists of anonymized customer data such as email addresses and phone numbers, and then target ads to Facebook users the company can find using that data. Facebook tells advertisers how many of its users will see an ad targeted to such a list. If you create multiple target lists, it reports how much they overlap.
Until Facebook altered the system in December, that feedback on audience size and overlap could be exploited to reveal data about Facebook users. The trick involved taking advantage of the way Facebook rounded those figures to obscure the exact numbers of users in different audiences.
In one demonstration, the researchers got Facebook to reveal the cellphone numbers of 19 volunteers from the Boston area and France, who provided the email addresses associated with their Facebook accounts.
The first step involved using Facebook’s ad tools to generate a series of ad-targeting lists covering all 2 million possible Boston area cellphone numbers, and the 20 million numbers in France. The researchers then used Facebook’s tools to repeatedly compare those audience lists against others generated using the targets’ emails. Watching for changes to the estimated audience figures that occurred when an email address matched a phone number could reveal users’ numbers one digit at a time. This attack appeared to apply to all Facebook users with a phone number associated with their account.
In a second experiment, the same approach was used to collect phone numbers en masse for volunteers who visited a website with the “tracking pixel” Facebook provides to help site operators target ads to their visitors. This appeared to work for all accounts Facebook defines as daily active users.
Neither attack was speedy. Just uploading and setting up the necessary targeting lists took days. Extracting the phone number for a given email took an additional 20 minutes. But the researchers argue it could have helped enable targeted attacks such as phone porting, where a criminal takes over a cellphone number to compromise more valuable accounts, for example with a bank.
Facebook fixed the problem by making its ad targeting tools less powerful. Since Dec. 22, its ad tools no longer show audience sizes when customer data is used to make new ad targeting lists.
“We’re grateful to the researcher who brought this to our attention through our bug bounty program,” says Facebook’s vice president for ads, Rob Goldman. “While we haven’t seen any abuse of this complex technique, we’ve made product changes to prevent this from occurring.” Facebook says its bug-bounty program has paid out nearly $1 million in the past year, in payments starting at $500.
Facebook has had to weaken its ad-targeting systems to prevent them tattling on users before. The company made its tools less granular in 2011, after academic Aleksandra Korolova showed they could be used to infer sensitive data such as a person’s age and sexual orientation.
Krishna Gummadi, a researcher at Max Planck Institute of Software Systems who worked on the team that forced December’s fix says it is unlikely to be the last. “If I had to bet on it I would think there are other bugs in there,” he says. “Facebook has data on a lot of people and is making this data accessible to advertisers through some very feature rich interfaces.”