Incident: Facebook Ad-Targeting Tools Revealed User Phone Numbers - Impact and Fix

Published Date: 2018-01-07

Postmortem Analysis
Timeline 1. The software failure incident where Facebook's self-service ad-targeting tools could reveal users' cellphone numbers from their email addresses happened until a few weeks ago before the article was published on January 7, 2018 [67274]. Therefore, the software failure incident likely occurred in December 2017.
System 1. Facebook's self-service ad-targeting tools [67274] 2. Custom Audiences feature of Facebook [67274]
Responsible Organization 1. Facebook [67274]
Impacted Organization 1. Facebook users [67274]
Software Causes 1. Software flaw in Facebook's self-service ad-targeting tools that allowed the massaging of email addresses to reveal users' cellphone numbers and collect phone numbers for users who visited specific webpages [67274].
Non-software Causes 1. Lack of proper data privacy policies and enforcement by Facebook [67274] 2. Over-reliance on user-provided information for security measures [67274]
Impacts 1. The software failure incident allowed for the potential access to users' phone numbers, which was a clear breach of Facebook's data-use policy [67274]. 2. The incident exposed a flaw in Facebook's self-serve ad-targeting tools, which could reveal users' phone numbers from their email addresses and webpage visits [67274]. 3. The incident highlighted the trade-off Facebook faces between convincing users to trust their personal data and providing advertisers with data access, posing risks to user privacy [67274]. 4. Researchers were able to exploit the software flaw to collect phone numbers en masse for Facebook users, potentially enabling targeted attacks like phone porting [67274]. 5. Facebook had to weaken its ad-targeting systems to prevent similar incidents in the future, indicating ongoing vulnerabilities in the platform [67274].
Preventions 1. Implementing stricter data privacy controls and regularly auditing the ad-targeting tools to identify and fix potential vulnerabilities [67274]. 2. Conducting thorough security testing and penetration testing on the ad-targeting tools to uncover any weaknesses before they can be exploited [67274]. 3. Enhancing user data protection measures and ensuring that user information is not inadvertently exposed through the platform's features [67274].
Fixes 1. Facebook fixed the software failure incident by making its ad targeting tools less powerful [67274].
References 1. Facebook's data-use policy [67274] 2. Academic researchers from the US, France, and Germany who reported the problem [67274] 3. Neil Gong, a professor at Iowa State who works on social-network privacy [67274] 4. Alan Mislove, a professor at Northeastern who worked on the project that exposed the problem [67274] 5. French research institutions EURECOM and University of Grenoble Alpes, and the Max Planck Institute for Software Systems in Germany [67274] 6. The security conference where the findings will be presented [67274] 7. The volunteers from the Boston area and France who provided their email addresses associated with their Facebook accounts [67274] 8. The researchers from the Max Planck Institute of Software Systems who forced the fix in December [67274]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to Facebook's ad-targeting tools revealing users' phone numbers from email addresses is an example of a software flaw within the same organization. This incident involved a breach in Facebook's data-use policy, where researchers were able to exploit a flaw in Facebook's self-serve ad-targeting tools to collect phone numbers of users [67274]. The incident led to Facebook fixing the problem and paying a bug bounty to the researchers who reported it. (b) The article mentions that similar incidents of software flaws are not uncommon in technology, indicating that such issues may have occurred at other organizations as well. The incident involving Facebook's ad-targeting tools highlights the risks associated with data privacy and the challenges faced by companies like Facebook in balancing user trust with providing data to advertisers [67274]. The researchers who discovered the flaw will present their findings at a security conference, suggesting that such vulnerabilities may exist in other systems beyond Facebook.
Phase (Design/Operation) design, operation (a) The software failure incident in the Facebook case can be attributed to a design flaw in the self-service ad-targeting tools. The incident occurred due to a vulnerability in Facebook's Custom Audiences feature, which allowed researchers to exploit the system and reveal users' phone numbers by manipulating audience size and overlap feedback provided by the tool [67274]. (b) The software failure incident can also be linked to an operational failure as it involved the misuse of Facebook's ad-targeting tools by the researchers to extract phone numbers of users. The exploitation of the system's features and feedback mechanisms to collect phone numbers can be considered an operational failure in terms of how the tools were used beyond their intended purpose [67274].
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident reported in the article is primarily due to a flaw within Facebook's self-service ad-targeting tools. The incident involved exploiting a vulnerability in Facebook's Custom Audiences feature, which allowed researchers to extract users' phone numbers from their email addresses. This flaw was within Facebook's system and was not caused by external factors [67274]. (b) outside_system: While the software failure incident itself was caused by a flaw within Facebook's system, the incident also highlights the broader issue of balancing data privacy and security within Facebook's business model. The incident sheds light on the risks associated with Facebook's need to both protect user data and provide advertisers with access to that data. This external factor, related to the nature of Facebook's business model and the challenges it poses in terms of data privacy, contributed to the software failure incident [67274].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the Facebook case was primarily due to non-human actions, specifically a flaw in Facebook's self-service ad-targeting tools that could be exploited to reveal users' phone numbers from their email addresses and collect phone numbers for users who visited specific webpages. This flaw allowed for the potential access to users' phone numbers, which was a clear breach of Facebook's data-use policy [67274]. The incident was not a result of intentional human actions but rather a vulnerability in the software system that could be exploited by researchers to extract sensitive information. (b) On the other hand, human actions were involved in reporting the software flaw to Facebook. A team of academic researchers from the US, France, and Germany identified the problem and reported it to Facebook, leading to the company fixing the issues and paying a bug bounty to the researchers who discovered the flaw [67274]. Additionally, Facebook's vice president for ads, Rob Goldman, acknowledged the researcher's contribution through the bug bounty program and mentioned that they made product changes to prevent such incidents from occurring in the future [67274].
Dimension (Hardware/Software) software (a) The software failure incident reported in the articles does not seem to be related to hardware issues. The incident primarily revolves around a flaw in Facebook's self-service ad-targeting tools that allowed the mass collection of users' phone numbers from their email addresses and webpage visits. The flaw was exploited by researchers to reveal users' phone numbers, indicating a software-related vulnerability rather than a hardware issue [67274]. (b) The software failure incident is directly linked to software issues. The flaw in Facebook's ad-targeting tools, specifically the Custom Audiences feature, allowed for the unauthorized collection of users' phone numbers by exploiting the way audience size and overlap figures were rounded and reported. This software vulnerability enabled the researchers to extract phone numbers from email addresses and track users who visited specific websites with Facebook's tracking pixel. The incident highlights a software flaw in Facebook's system that was exploited to access sensitive user data [67274].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident described in the article is non-malicious. It was a result of a flaw in Facebook's self-service ad-targeting tools that inadvertently allowed the collection of users' phone numbers without their permission. The incident was reported by a team of academic researchers who discovered the problem and reported it through Facebook's bug bounty program [67274]. The incident was not a deliberate act to harm the system but rather a vulnerability that was exploited unintentionally. (b) The incident was not malicious in nature, as there is no evidence that anyone took advantage of the flaw to obtain user phone numbers for malicious purposes. The researchers who discovered the issue were from academic institutions in the US, France, and Germany, and their objective was to highlight the vulnerability and help Facebook improve its security measures [67274].
Intent (Poor/Accidental Decisions) accidental_decisions (a) The intent of the software failure incident was not due to poor decisions but rather due to accidental decisions or mistakes. The incident was a result of a flaw in Facebook's self-service ad-targeting tools that could be exploited to reveal users' phone numbers from their email addresses or from visiting specific webpages. The incident was not intentional but rather a consequence of a software vulnerability that was exploited by academic researchers [67274].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident described in the article can be attributed to development incompetence. The incident involved a flaw in Facebook's self-service ad-targeting tools that allowed the mass collection of users' phone numbers from their email addresses and webpage visits. This flaw was exploited by academic researchers who reported the issue to Facebook, leading to a bug bounty payout. The incident highlighted the challenges Facebook faces in balancing user data security and advertiser access, indicating a lapse in professional competence in ensuring data privacy ([67274]). (b) The software failure incident can also be categorized as accidental. Facebook did not have evidence that anyone had taken advantage of the flaw to obtain user phone numbers, suggesting that the exposure of this vulnerability was not intentional. Additionally, the researchers who discovered the issue were not malicious actors but academic researchers from the US, France, and Germany who reported the problem to Facebook. The incident was not a deliberate act but rather a result of unintentional flaws in Facebook's ad-targeting tools ([67274]).
Duration temporary (a) The software failure incident described in the article was temporary. The incident involved a flaw in Facebook's self-service ad-targeting tools that allowed for the mass collection of users' phone numbers from their email addresses and webpage visits. This flaw was exploited by academic researchers who reported the issue to Facebook, leading to a fix being implemented on Dec. 22 [67274]. (b) The software failure incident was not permanent as it was addressed and fixed by Facebook. The incident was due to specific circumstances related to the flaw in the ad-targeting tools that allowed for the unauthorized collection of user phone numbers. The fix involved making changes to the ad targeting tools to prevent such exploitation in the future [67274].
Behaviour value, other (a) crash: The software failure incident described in the article does not involve a crash where the system loses state and does not perform any of its intended functions. Instead, the incident revolves around a flaw in Facebook's self-service ad-targeting tools that allowed the revelation of users' phone numbers from their email addresses [67274]. (b) omission: The incident does not involve a failure due to the system omitting to perform its intended functions at an instance(s). The flaw in Facebook's ad-targeting tools allowed for the collection of phone numbers from email addresses, which was not an omission but rather an unintended data exposure [67274]. (c) timing: The failure is not related to the system performing its intended functions correctly but too late or too early. The issue with Facebook's ad-targeting tools was not about timing but rather about the unintended disclosure of user phone numbers due to a flaw in the system [67274]. (d) value: The software failure incident does involve a failure due to the system performing its intended functions incorrectly. The flaw in Facebook's ad-targeting tools led to the incorrect exposure of user phone numbers, which was a clear breach of Facebook's data-use policy [67274]. (e) byzantine: The failure is not related to the system behaving erroneously with inconsistent responses and interactions. The incident with Facebook's ad-targeting tools was more about a specific flaw that allowed the collection of user phone numbers through email addresses, rather than exhibiting inconsistent behavior [67274]. (f) other: The behavior of the software failure incident can be categorized as a data exposure vulnerability. The flaw in Facebook's ad-targeting tools enabled the unauthorized access to user phone numbers, which was not the intended function of the system and posed a risk to user privacy [67274].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (d) property: People's material goods, money, or data was impacted due to the software failure. The software failure incident involving Facebook's self-service ad-targeting tools allowed for the potential unauthorized access to users' phone numbers associated with their accounts. This breach of data security could have led to the collection of phone numbers for Facebook users without their consent. Facebook fixed the issue on December 22 and paid a bug bounty to the team of academic researchers who reported the problem. The incident highlighted the risks associated with accidental slip-ups in software flaws, especially for a company like Facebook that relies on user data for its business model [67274].
Domain information, finance, other (a) The software failure incident reported in the articles is related to the information industry, specifically social networking and data handling. The incident involved a flaw in Facebook's self-service ad-targeting tools that allowed the mass collection of users' phone numbers from their email addresses, highlighting a breach of data-use policy and privacy concerns [67274]. The incident also emphasized the trade-off between convincing users to share personal data and providing advertisers with access to that data, showcasing the challenges faced by companies like Facebook in managing user data securely [67274]. (h) Additionally, the incident is relevant to the finance industry as it pertains to the security and privacy of user data, which is crucial in financial transactions and interactions. The potential exploitation of the software flaw could have led to targeted attacks such as phone porting, where criminals take over cellphone numbers to compromise more valuable accounts, including those related to banking and financial services [67274]. (m) The software failure incident can also be categorized under the "other" industry as it involves the broader domain of technology and software development. The incident highlights the common occurrence of software flaws in technology and the continuous efforts required to identify and address such vulnerabilities to ensure data security and user privacy [67274].

Sources

Back to List