Facebook Is Reinstating Reach Estimates In Custom Audiences After Fixing A Security Flaw

After more than a year on ice, Facebook is bringing back reach estimates in Custom Audiences.

Facebook suspended the metric, which advertisers would use to preview reach estimates for lists uploaded to Custom Audiences, in March 2018 when academic researchers from Northeastern University discovered a vulnerability.

The exploit could have allowed someone to infer attributes related to the individuals included in an advertiser’s list.

The researchers were rewarded through Facebook’s bug bounty program and the metric was shelved pending investigation.

Facebook re-introduced it Tuesday to buyers on a randomized basis, a process that will continue through the end of the year.

What was the problem?

Simply put (sort of), researchers could determine the rounding threshold, aka, the point at which Facebook’s system would round up to create an estimate.

Having identified the threshold, one could ascertain gender or country or any one of more than 1,000 targeting attributes, by adding an email to the list, selecting an attribute and checking if the reach estimate went up or stayed the same.

Anyone diligent enough could mine the metric to build fairly detailed customer profiles.

Over the past year, Facebook worked with the researchers who uncovered the bug to patch the problem. Facebook claims that it never saw anyone take advantage of the exploit.

The solution is threefold: making the rounding logic more complex for how estimates are displayed; improving the backend detection process for potential misuse in collaboration with Facebook’s business integrity team, which investigates security issues; and limiting the number of audiences and API calls that a single account can have.

Restricting the API calls and capping the number of audiences won’t have an impact on how advertisers use the metric, but should prevent anyone from manipulating it. Multiple API calls can be a sign of potential misuse.

This isn’t the first time Custom Audiences was found to be vulnerable to possible abuse. The same Northeastern researchers who found the Custom Audience reach estimate issue unearthed a similar bug within Custom Audiences in December 2017 that would allow someone to figure out a user’s cell phone number from their email address.

A Facebook spokesperson said that advertisers have been consistently requesting to get the metric back, even though they had alternative tools when reach estimates in Custom Audiences weren’t available.

But Facebook decided not to rush things this time. “We’re doing this a little more slowly than with other products to be cautious and make sure everything is going as intended,” the spokesperson said.

Phillip Huynh, VP of paid social at 360i, said he’ll be pleased to see reach estimates back in its rightful place in Ad Manager.

“This allows us to, once again, understand the audience we’re targeting and make appropriate decisions on investment,” Huynh said, as well as keep tabs on audience sizes as upcoming changes to the platform begin to roll out, including Clear History.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!