Home Privacy Facebook Is Reinstating Reach Estimates In Custom Audiences After Fixing A Security Flaw

Facebook Is Reinstating Reach Estimates In Custom Audiences After Fixing A Security Flaw


After more than a year on ice, Facebook is bringing back reach estimates in Custom Audiences.

Facebook suspended the metric, which advertisers would use to preview reach estimates for lists uploaded to Custom Audiences, in March 2018 when academic researchers from Northeastern University discovered a vulnerability.

The exploit could have allowed someone to infer attributes related to the individuals included in an advertiser’s list.

The researchers were rewarded through Facebook’s bug bounty program and the metric was shelved pending investigation.

Facebook re-introduced it Tuesday to buyers on a randomized basis, a process that will continue through the end of the year.

What was the problem?

Simply put (sort of), researchers could determine the rounding threshold, aka, the point at which Facebook’s system would round up to create an estimate.

Having identified the threshold, one could ascertain gender or country or any one of more than 1,000 targeting attributes, by adding an email to the list, selecting an attribute and checking if the reach estimate went up or stayed the same.

Anyone diligent enough could mine the metric to build fairly detailed customer profiles.

Over the past year, Facebook worked with the researchers who uncovered the bug to patch the problem. Facebook claims that it never saw anyone take advantage of the exploit.

The solution is threefold: making the rounding logic more complex for how estimates are displayed; improving the backend detection process for potential misuse in collaboration with Facebook’s business integrity team, which investigates security issues; and limiting the number of audiences and API calls that a single account can have.


AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Restricting the API calls and capping the number of audiences won’t have an impact on how advertisers use the metric, but should prevent anyone from manipulating it. Multiple API calls can be a sign of potential misuse.

This isn’t the first time Custom Audiences was found to be vulnerable to possible abuse. The same Northeastern researchers who found the Custom Audience reach estimate issue unearthed a similar bug within Custom Audiences in December 2017 that would allow someone to figure out a user’s cell phone number from their email address.

A Facebook spokesperson said that advertisers have been consistently requesting to get the metric back, even though they had alternative tools when reach estimates in Custom Audiences weren’t available.

But Facebook decided not to rush things this time. “We’re doing this a little more slowly than with other products to be cautious and make sure everything is going as intended,” the spokesperson said.

Phillip Huynh, VP of paid social at 360i, said he’ll be pleased to see reach estimates back in its rightful place in Ad Manager.

“This allows us to, once again, understand the audience we’re targeting and make appropriate decisions on investment,” Huynh said, as well as keep tabs on audience sizes as upcoming changes to the platform begin to roll out, including Clear History.

Must Read

Scott’s Miracle-Gro Is Seeing Green With Retail Media

It’s lawn season – and you know what that means. Scott’s Miracle-Gro commercials, of course. Except this time, spots for Scott’s will be brought to you by The Home Depot’s retail media network.

Walled Garden Platforms Are Drowning Marketers In Self-Attributed Sales

Sales are way up; ROAS is through the roof across search, social and ecommerce. At least, that’s what the ad platforms say.

Comic: Working Hard or Hardly Working?

Shadier Than Forbes? Premium Publishers Are Partnering With Content Farms To Make A Quick Programmatic Buck

The practice involves monetizing resold subdomains jammed with recycled MFA articles produced by notorious content farms.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

Adalytics Claims Colossus SSP Is Misdeclaring IDs In Its Bid Requests

Colossus SSP, a DEI-focused supply-side platform owned by Direct Digital Holdings (DDH), is the subject of Adalytics’ latest report released Friday. It’s a doozy.

The Trade Desk Reframes Its Open Internet Vision As ‘The Premium Internet’

The Trade Desk is focusing beyond the overall “open internet” and on what CEO Jeff Green calls the “premium internet.”

Comic: Welcome Aboard

Google Search’s Core Updates Are Crushing Sites And Reshaping The Web

Google Search, the web’s largest traffic and revenue generator for two decades, is in the midst of sweeping overhauls that have already altered how users are funneled around the internet.