A loophole in Facebook’s advertising targeting mechanism could have let attackers obtain users’ phone numbers after they visited websites the attackers controlled, a group of scientists revealed in a paper presented last week.
Facebook, which awarded the researchers a $5,000 bug bounty, has since taken steps to thwart similar attacks, and neither the company nor the researchers say they have any evidence the technique was ever used maliciously.
The potential attack, presented by researchers from Northeastern University and institutions in France and Germany at the Federal Trade Commission’s PrivacyCon, exploits the way Facebook allows advertisers to target ads to custom audiences. Those can be built based on users’ interests, visits to a particular website, email addresses, phone numbers, or other factors known to the social networking company.
Facebook and its rival social networks allow advertisers an essentially unparalleled degree of freedom in automatically targeting messages to particular people based on their interests and demographics. But those liberal advertising policies have come under fire in recent years, with critics saying they enabled everything from racial discrimination and hate speech to surreptitious Russian propaganda.
In this case, though the system is designed not to let advertisers learn the identities of users based on information they don’t make public, the researchers realized that ad audiences built based on the combination of different factors—say, a list of phone numbers and a list of email addresses—would only include each user once. That meant that the number of…