Home Privacy Facebook Is Reinstating Reach Estimates In Custom Audiences After Fixing A Security Flaw

Facebook Is Reinstating Reach Estimates In Custom Audiences After Fixing A Security Flaw

SHARE:

After more than a year on ice, Facebook is bringing back reach estimates in Custom Audiences.

Facebook suspended the metric, which advertisers would use to preview reach estimates for lists uploaded to Custom Audiences, in March 2018 when academic researchers from Northeastern University discovered a vulnerability.

The exploit could have allowed someone to infer attributes related to the individuals included in an advertiser’s list.

The researchers were rewarded through Facebook’s bug bounty program and the metric was shelved pending investigation.

Facebook re-introduced it Tuesday to buyers on a randomized basis, a process that will continue through the end of the year.

What was the problem?

Simply put (sort of), researchers could determine the rounding threshold, aka, the point at which Facebook’s system would round up to create an estimate.

Having identified the threshold, one could ascertain gender or country or any one of more than 1,000 targeting attributes, by adding an email to the list, selecting an attribute and checking if the reach estimate went up or stayed the same.

Anyone diligent enough could mine the metric to build fairly detailed customer profiles.

Over the past year, Facebook worked with the researchers who uncovered the bug to patch the problem. Facebook claims that it never saw anyone take advantage of the exploit.

The solution is threefold: making the rounding logic more complex for how estimates are displayed; improving the backend detection process for potential misuse in collaboration with Facebook’s business integrity team, which investigates security issues; and limiting the number of audiences and API calls that a single account can have.

Restricting the API calls and capping the number of audiences won’t have an impact on how advertisers use the metric, but should prevent anyone from manipulating it. Multiple API calls can be a sign of potential misuse.

This isn’t the first time Custom Audiences was found to be vulnerable to possible abuse. The same Northeastern researchers who found the Custom Audience reach estimate issue unearthed a similar bug within Custom Audiences in December 2017 that would allow someone to figure out a user’s cell phone number from their email address.

A Facebook spokesperson said that advertisers have been consistently requesting to get the metric back, even though they had alternative tools when reach estimates in Custom Audiences weren’t available.

But Facebook decided not to rush things this time. “We’re doing this a little more slowly than with other products to be cautious and make sure everything is going as intended,” the spokesperson said.

Phillip Huynh, VP of paid social at 360i, said he’ll be pleased to see reach estimates back in its rightful place in Ad Manager.

“This allows us to, once again, understand the audience we’re targeting and make appropriate decisions on investment,” Huynh said, as well as keep tabs on audience sizes as upcoming changes to the platform begin to roll out, including Clear History.

Must Read

Adobe Advertising Just Launched Its Own Custom Algorithms Product

Last week, Adobe Advertising announced the general release of its own Custom Algorithms product, which is “a huge departure from the TubeMogul days,” Erwin Castellanos, GM of Adobe Advertising, tells AdExchanger.

MFA Ad Spend Is Increasing. Is AI Slop To Blame?

This year, the percentage of ad spend going toward made-for-advertising (MFA) sites went up instead of down for the first time since 2023.

Kickbacks Takes An Outsider’s View While Bringing Ads To AI Agents

Andrew McCalip is a founding engineer at Varda Space Industries, where he oversees the manufacturing of things like hypersonic reentry vehicles and satellite buses.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

CTV Buyers Are Getting The Show-Level Performance Optimization They’ve Always Wanted

A collaboration between InterMedia Advertising, Peer39 and Pontiac Intelligence provided show-level cost-per-acquisition data for 94% of CTV ad impressions.

Advertisers Await Programmatic Pause Ads

The IAB Tech Lab is working on standardizing programmatic signals for new streaming TV ad formats, including pause ads. Meanwhile, many brands are eager to add pause ads to their repertoire.

Why Media Mergers And Spin-Offs Don’t Always Keep Their Promises

With media megamergers, acquisitions and spin-offs left and right, the media landscape is changing at a pace that is difficult to keep up with.