Facebook’s advertising platform is riddled with loopholes that can help miscreants obtain private information on individual users, according to a recent study.

Personally identifiable details – such as someone's email address, full name, date of birth, and home address – are used with their likes and dislikes to slot them into categories for targeted adverts. That means advertisers can zero in on their products' ideal buyers, and, say, sling expensive pet food ads at rich dog owners. However, these systems can also be exploited by scumbags to potentially slurp sensitive records.

Researchers at the University of Southern California, in the US, studied Facebook’s targeted advertising capabilities in detail, and published their findings in a paper late last month.

“We focus on three downsides: privacy violations, microtargeting (i.e., the ability to reach a specific individual or individuals without their explicit knowledge that they are the only ones an ad reaches) and ease of reaching marginalized groups,” the pair, Irfan Faizullabhoy and Aleksandra Korolova, stated in their paper's abstract.

How it works

Anyone with a Facebook profile can set up what's called a custom audience that defines a particular demographic for ad targeting. The trick here is to provide just enough information, and game the system, to narrow down the audience search results not to a select bunch of people, but down to just one unlucky person on the social network.

Although Facebook treats that as an invalid demographic, its other tool, audience insights, which lets advertisers learn more about groups of netizens reached by adverts, can be used with that tiny custom audience to reveal that one person's private information.

It means a miscreant can go on a fishing expedition, looking for a particular person or type of person, and extract private information, such as that person's age, income, how many people they live with, their personal activities, and so on, by combining the custom audience search function and the audience insights analytics.

It seemingly gives anyone the power to learn more about strangers' lives – and there are more than 2,000 types of information that can be discerned per individual user. The researchers experimented with the analytics functions with the consent of their Facebook friends, who they asked to temporarily unfriend them. The duo found the audience insights results to be “highly accurate” when pulling up data on their pals.

Information that can be gleaned from that tiny audience of one can range from hobbies to their family's details.

“Questions such as, 'is this person [or] their wife pregnant?' 'how old are their children?' 'do they like to gamble?' 'are they living at home, or with roommates?' 'do they hunt?' can all be answered, efficiently and at no cost, by anyone,” Faizullabhoy and Korolova warned.

The minimum number of people in a custom audience is, right now, 20. It’s a low number compared to 1,000 for Google, 300 for LinkedIn, and 500 for Twitter. By peppering in 19 fake or complicit accounts, for example, advertisers, and anyone else curious, can narrowly target and snoop on just a single person, or a group of people by going through them one at a time.

Another potential flaw relates to Facebook allowing advertisers to refine their audience by location to within a one-mile radius. Small areas or even single houses can be targeted, as long as there are at least 20 users that match the advert’s criteria. It’s particularly concerning if those areas include vulnerable people who frequent planned parenthood clinics, rehab centers, or medical facilities, as they might be more easily picked out by ad campaigns.

“It's difficult to predict how such a powerful tool can be abused by a clever and resourceful adversary, especially because neither researchers nor users have full transparency into what is feasible using Facebook's advertising platform and what data about them is being used when ad matching and reporting is performed,” Korolova, an assistant professor of computer science, told The Register.

Facebook’s response: Do as little as possible

When the researchers alerted Facebook to these vulnerabilities, they were stonewall. At one point, though, Facebook agreed to increase the number of people able to be targeted using the custom audience tool and audience insights analytics from one to 20. The researchers were required to submit video proof of the network's shortcomings, and were awarded $2,000 from the website's bug bounty program.

Facebook admits: Apps were given users' permission to go into their inboxes READ MORE

When the duo asked Facebook to increase the custom audience size to somewhere between 500 and 1,000, the Silicon Valley giant ignored the request, and still hasn't addressed it. For the geolocation targeting issue, the researchers were asked to “clarify how this bug is able to compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within Facebook’s infrastructure.”

After the pair replied, Facebook did not respond, and even closed the bug bounty report, so that they could no longer engage in any sort of dialog.

In the paper, Faizullabhoy and Korolova said they believed the reason why it was so easy to snoop on people via Facebook's ad platform was down to the website's careless approach to privacy. Facebook simply doesn’t care, they stated, to put it bluntly.

“Facebook’s response to our white hat reports of 'single person targeting' that 'this is working as designed' shows an apathy toward micro-targeting and circumventions of the rudimentary micro-targeting protections Facebook has put in place,” the duo stated in their paper.

Facebook declined to comment. Even when appearing before US Congress this week, CEO Mark Zuckerberg continued to dodge questions about the true nature of Facebook’s abilities to silently and secretly track millions of people’s online and offline activities, and how it that information may be passed to third parties with dodgy intentions. ®