As part of my Nieman fellowship at Harvard, I participated in Professor James Waldo’s Technology and Privacy class. For the final project in this class, I’ve examined how much non-public information Facebook will inadvertently leak if actively manipulated to do so.

Exploiting Custom Audiences

Facebook’s Custom Audience feature is a powerful tool that marketers can use to reach specific individuals via Facebook ads.

As you can see in the screenshot above, Facebook lets marketers create custom audiences based on a customer file, website traffic, activity within apps, offline activity or people who engaged with specific content on Facebook’s owned platforms.

When Facebook launched their Custom Audiences tool, it assured its users that the information marketers would receive would be “anonymous and aggregate ad reporting”.

There are safeguards in place to help prevent abuse of Facebook’s advertising tools. For example, it is impossible to creating targeting parameters that focus on fewer than 20 users.

If you try to upload a custom audience of less than 20 users, or point Facebook’s ad tool at a set of parameters that match less than 20 users, Facebook will kick back an error that looks like the one below…

On the surface this seems like a fairly good set of protections. However, this protection quickly starts to fall apart when you introduce groups of 20+ accounts that you either have full control over, or, share a distinct characteristic (in my work, I used gender) different from your target.

Merge With Target In A Single Custom Audience

To identify non-public information about a a target the process is quite simple; build a custom audience of decoy accounts and include the target account.

Once you’ve created a custom audience that is a mix of decoy accounts and a single target account, you start running ads against this custom audience.

Because Facebook will show if a single user of an ad campaign has been served the ad, as well as the gender of the user served the ad, you have validation that only the target has been served the ad.

Using A Mix Of Fake And Real Facebook Accounts

To help avoid interference with this experiment, the female accounts I included in the custom audience were a mix of my fellow Nieman Fellows, as well as fake facebook accounts I purchased through vendors on blackhatworld.com.

The majority of accounts are delivered with full account details, an associated email address and cookies, along with a browser utility allowing you to inject the account cookies into your browser of choice.

Initial Experiment

I created a new Facebook account (John Harvard, pictured below), and ran the ad below to a custom audience that featured my personal Facebook account as the target.

The Facebook Ad

Facebook reported back that the single person reached by the ad is between the ages of 25 and 34, is located in Massachusetts and was served the ad between 8pm and 9pm. All of this data was 100% correct.

While this information might seem somewhat general, it is disturbing on four points…

It breaks the trust users have with Facebook. When a user chooses to hide their location, age, gender or the times they use the platform, Facebook must universally respect this wish. Under no circumstances should it be made available to a third party without the consent of the user. Aside from simple privacy concerns, there are many reasons that a Facebook user might not want their location, gender, or time of use known by a third party. Facebook’s ad tool could become an incredibly powerful covert surveillance tool used to monitor the movement of journalists, dissidents, etc. I filed a “white hat” report w/ Facebook, the status of which shows “triaged.” Repeated requests for an update have gone unanswered. I was able to replicate this experiment with the same results on 1/27/18

Final Thoughts

While I have extensive experience using Facebook’s ad tool, I am not a trained security researcher. I would love if others tried to replicate this experiment to see if they can reproduce these results.

If you have questions, comments, etc.

@Mkarolian on Twitter

mkarolian@protonmail.com