back to article Boffins find new ways to slurp private info from Facebook addicts using precision-targeted ads

Facebook’s advertising platform is riddled with loopholes that can help miscreants obtain private information on individual users, according to a recent study. Personally identifiable details – such as someone's email address, full name, date of birth, and home address – are used with their likes and dislikes to slot them into …

  1. Inventor of the Marmite Laser Silver badge

    Does the data provide ENOUGH resolution?

    For instance, would it identify someone who, when presented with targeted advertising - or, iindeed any of the mindless trash that gets hawked around - would be quite happy to rip the authors head off and defecate down their neck?

    We might be on to something

    1. Teiwaz Silver badge

      Re: Does the data provide ENOUGH resolution?

      any of the mindless trash that gets hawked around - would be quite happy to rip the authors head off and defecate down their neck?

      Toilet paper ads maybe ?

      Well, a tie is just 'so' long, and a silk one I imagine would be a little like that shiny 'greaseproof' bogroll you used to sometimes get in public lavs...

  2. Nate Amsden Silver badge

    missing the point?

    The platform was designed to invade privacy(paraphrasing Zuckerberg's early quote "dumb fucks"), as were pretty much if not all other social media platforms.

    I'm sure google goes even further they just haven't been exposed to the extent facebook has been yet.

    It is unfortunate that so many people are happy to give up all of this info in exchange for using these services. I saw one headline on a news site I think it was from a U.S. senator saying "facebook should be paying US(the users) for this data!", obviously went over their head that they are giving you value back in "free" usage of the platform, paying for all those developers and servers and data centers etc.

    I would pay money to see what data facebook and google have gotten on me but even if they did offer that service(I think google does to some small extent), I have too much fear that they would then validate "that is me" in their data by me doing such a thing. (I have never had a facebook account, I do have a google accounts for android(I don't use gmail, and use firefox as my browser, and am careful about what apps get installed), and I do have a google account for work for google docs(rarely use))

    1. Ian Michael Gumby Silver badge

      Re: missing the point?

      Google ?

      Oh they are capturing much more information. So much so, that they don't need to use cookies.

      Ask yourself why do many well known sites still use google analytics? ;-)

      But overall, none of this should be a shock to anyone.

      You are the product. Without you, FB would be nothing.

      Unfortunately even if you don't have a FB account, they are tracking you too.

    2. Anonymous Coward
      Anonymous Coward

      Re: missing the point?

      "I would pay money to see what data facebook and google have gotten on me but even if they did offer that service(I think google does to some small extent), I have too much fear that they would then validate "that is me" in their data by me doing such a thing."

      Wait for GDPR and not only will it not cost you, but once you receive it, you can send it back to them with "Thanks, now can you please remove all this data?".

      1. Anonymous Coward
        Anonymous Coward

        Re: missing the point?

        Wait for GDPR and not only will it not cost you, but once you receive it, you can send it back to them with "Thanks, now can you please remove all this data?".

        In Europe and the UK, yes.

        If he's a US resident, then his data doesn't belong to him, and whilst he has the right to bear arms he has no right to privacy. And wandering off topic, I suspect the Founding Fathers actually meant "the right to bare arms", intending to confer the freedom to wear tee shirts, instead of every man-jack wandering around shooting people with assault rifles.

        1. Stumpy

          Re: missing the point?

          ... no, it's the right to arm bears. After all, gotta give them a sporting chance against the Huntin' Fishin' Shootin' brigade...

          1. The Boojum

            Re: missing the point?


            1. Colabroad

              Re: missing the point?

              No, no, it's the right to keep the upper limbs of ursidae.

  3. bombastic bob Silver badge


    I wonder what kinds of nefarious things can be done with THAT...

    a) spear phishing

    b) harassment

    c) manipulation

    d) blackmail

    e) evil gossip

    f) get target to show up someplace at a given time

    g) get target to take pictures doing specific things

    h) all of the above

    I can think of many ways to do "all of those", if given the ability to make this happen. Good thing I'm a 'white hat' [ok maybe a slight touch of grey]

    consider what 419eater has been able to do, for example, with 419 scammers. And I really liked that 'Africa' video with the song 'Africa' by Toto. It was a crowning moment of awesome!

    1. Anonymous Coward
      Anonymous Coward

      Re: microtargeting

      Now combine that with the users Google credentials and any other accounts assigned to their smartphone along with imei, location data, IP address, phone contact list, photos, musical taste, installed applications (like banking apps) etc etc that can be gleaned by a dodgy Android app and the developer has unlimited possibilities.

      Facebook's Graph and unscrupulous advertising SDK's embedded in apps have created the largest single attack vector ever.

      The Graph API allows advertising SDK's to push advertising and other data into the users Facebook feed and I have seen advertising SDK's that actively view the source code of shared web pages to inject javascript to make users phones vibrate and pop up fake virus warnings to trick users into downloading even more dodgy apps.

      The fake virus warnings or other annoying persistent ads that pop up on Android devices are (almost) impossible to trace because they originate from unsuspecting users devices as they share content on Facebook that has been modified by the SDK's within apps on the sending users device without their knowledge.

      An Android user that views a shared Facebook link or video sent by a user that has a dodgy app installed will be redirected to a full screen fake virus warning while their phone vibrates and usually links to a.dodgy "antivirus" app on the Google Play store to remove the non-existent "viruses" thus continuing the spread of modified Facebook links if the victim installs the dodgy "antivirus" app.

      In order for this to work the person receiving the modified Facebook page or link must also meet certain criteria as far as what apps are installed on their device.

      Most of the offending advertising SDK's I have documented that do this are from foreign countries such as China.

      1. LameSoftwareDeveloper

        Re: microtargeting

        I recently implemented a system for a client that used Facebooks advertising API to do some clever tracking.

        The client wanted to track every user who clicks from a Facebook ad and purchases something. He also wanted to track every user who started the checkout procedure but didn't complete.

        This is possible with Facebook pixels. The client wanted to re-advertise ads to all users who had made a purchase. He also wanted to hound the users who didn't complete the checkout procedure.

        How did he do this you might ask?

        Lets say for example my client is selling beds. User clicks through to purchase but for some reason doesn't complete. These are what's called lukewarm leads. The client wanted these users to see ads that promoted reviews, or articles, to warm the user into purchasing. For users who do purchase he then promotes accessories, and related products.

        His idea worked and his business is making a serious amount of money solely from these aggressive marketing tactics.

  4. Jay Lenovo Silver badge

    In Zuckerberg We Trust

    Jones: Where is our PII?

    Zuckerberg: I thought we'd settled that. Your PII is somewhere very safe.

    Jones: From whom?

    Brody: The PII is a source of unspeakable power and it has to be protected!

    Zuckerberg: And it will be, I assure you, Doctor Brody, Doctor Jones. We have top men protecting it right now.

    Jones: Who?!

    Zuckerberg: Top... men.

  5. Anonymous Coward
    Anonymous Coward

    So why am I being targeted...

    ... with waste management ads?

    1. Fungus Bob Silver badge

      Re: So why am I being targeted...

      Because somebody has to waste management!!

  6. goldcd

    Hold on a moment..

    "The minimum number of people in a custom audience is, right now, 20. It’s a low number compared to 1,000 for Google, 300 for LinkedIn, and 500 for Twitter. By peppering in 19 fake or complicit accounts, for example, advertisers, and anyone else curious, can narrowly target and snoop on just a single person, or a group of people by going through them one at a time."

    Yes Facebook might allow a custom audience of 20 - but that's just "interesting"

    Even taking that upper number of 1000. You think there's somebody out there employing a copy-writer to design custom adverts for 1000 unique people?

    1. diodesign (Written by Reg staff) Silver badge

      Re: Hold on a moment..

      People exploiting that low minimum won't be hiring copywriters. They'll be mining for personal information.


      1. Anonymous Coward
        Anonymous Coward

        Re: Hold on a moment..

        People exploiting that low minimum won't be hiring copywriters.

        Do you know that? Hand-crafted adverts/threats/cajolements for very specific audiences could be a very lucrative sideline.

  7. Anonymous Coward
    Anonymous Coward

    'Facebook’s response: Do as little as possible'

    Is Zuckerberg embarrassed by how manipulative his baby has become:

    Or is Zuck a voyeur / data-perv with a 2-Billion-boner? To some men, the power of mass influence and surveillance is in itself a drug. Zuckerberg & Alexander Nix are the exact same if you think about it. Global power hunting the weak. We're all Pawns on a behavioral chessboard to their dodgy firms!

  8. The Nazz Silver badge


    Is it too late to get several fake profiles and data past FB's sign on processes?

    Surely, it's time for the authorities to force FB to prove that every one of their claimed 13bn ( ok, ok 2bn) accounts is actually genuine.

    And as for asking for their data ...

    My mate : Hey Facebook, do you hold any data on me?

    FB : Well, click on this link, fill in the form and we'll get back to you.

    My mate : Clickety click. Well do you hold any data on me?

    FB : We do now.

    1. Blank Reg

      Re: Verification

      I created a fake fb account many years ago using one of my garbage collecting email accounts that I use to sign up for stuff that I don't care too much about. That account has no friends, and when I check the email to dump it all in the trash it is filled with friend suggestions that are exclusively attractive young women.

      I guess that is because the only profile info they would have is that I'm male and have no friends, so how about you friend this hot, young Romanian "woman", I sure she would be interested in a friendless loser with no apparent job or interests.

  9. The Nazz Silver badge

    Save someone some time

    Questions such as, 'is this person [or] their wife pregnant?' 'how old are their children?' 'do they like to gamble?' 'are they living at home, or with roommates?' 'do they hunt?' can all be answered, efficiently and at no cost,


    over 18




  10. Anonymous Coward
    Anonymous Coward

    Welcome to 'Facebook Analytica'

    "“It's difficult to predict how such a powerful tool can be abused by a clever and resourceful adversary, especially because neither researchers nor users have full transparency into what is feasible using Facebook's advertising platform and what data about them is being used when ad matching and reporting is performed"

    Coming to an election near you - real soon!

  11. Mark 85 Silver badge

    This almost bad science fiction or space opera where the "monster" grows and spreads around the world until it's too big to even nuke from space.

    1. Anonymous Coward
      Anonymous Coward

      Re: the "monster" grows and spreads around the world

      ah ... like a sort of internet Krynoid...

  12. anothercynic Silver badge


    ... As this university also gets banned from 'the platform' because it exposed the data slurp, as per Facebook standard MO.

  13. Laughing Gravy


    What ads targeted or otherwise? Haven't seen any in years. Ad blockers, trackers blocked, noscript etc, anonymous behind a VPN. Also some sort of FB plugin that controls what I see when I use it occasionally you know the 'people you might know' shite as well as ads.

    Anything I'm missing besides the grief?

  14. Anonymous Coward
    Anonymous Coward

    There's a Zucker-berg born every day

    It was always a PI black hole.

    Just not a very secure one it seems.

    Major Fail.

  15. IsJustabloke Silver badge

    Oh well...

    As with all these things it's only as good as the data it slurps... I have a facebook page for a photography business so that means I also have a facebook profile except it thinks I'm a 23 year old female with a birthday in October, I even used a throwaway mobile phone number when it nagged me for one.

    In reality, I'm a 54 year old man with a birthday in feb :D

    Of course, my feed is full of adverts for tampax and panty pads :D

  16. John Smith 19 Gold badge

    This is *outrageous*. Don't these people know only FB has the right to slurp that data?

    Bad developers. Bad developers.

  17. Anonymous Coward
    Anonymous Coward

    and in other news...

    According to /. nearly 1 in 10 Americans have deleted their FB accounts.

    Can we make it 10 in 10? Perhaps then Zuck will notice that his time has passed just like MySpace.

    Then we can target Instagram and Snapchat and even Twitter but 'The Donald' won't like that but hey, every cloud has a silver lining.

    Never had an account of any of the above anti-social networks and never will.

    1. Blank Reg

      Re: and in other news...

      I'm not really concerned, what are they going to find out? That I think (know) that trump is an idiot or that I prefer Star Trek over Star Wars? If someone wants to find me all they need is my name as its very rare, you can probably count all of us on one hand so it wouldn't take long to track me down.

      This probably seems like a very odd attitude if you understand the origin of my handle on this site.

  18. AndrueC Silver badge

    That means advertisers can zero in on their products' ideal buyers, and, say, sling expensive pet food ads at rich dog owners. However, these systems can also be exploited by scumbags to potentially slurp sensitive records.

    Both of which sound bad to me.

  19. Joe Harrison Silver badge

    I don't get special ads

    I don't make an effort to block Facebook ads, this is so I can keep an eye on how well-targetted the ads are hence how much they know about me. The ads are not targetted at all; vaguely aligned with my lifestyle for example they have obviously figured out I work in IT but that's about it. Although I can't say I use their system much therefore perhaps they have less to work with.

    Maybe they are not all-knowing, maybe that is just what they pretend to their advertisers?

  20. Roger Kint
    Black Helicopters

    не будет ли кто-нибудь думать о русских?

    Well, at least we aren't talking about Russians meddling with global democracy now and actually blaming the people responsible for managing the tech they used, if only there was a tinfoil hat icon I could imply how castigating Zuk (which to be fair he deserves) was distracting people away from something that had too much focus?

  21. fluffybunnyuk

    Well if personal data is passed to 3rd parties without given consent that constitutes a breach of GDPR and a 4% smack of a fine. Facebook isnt going to be able to take too many of those before it decides to secure personal data better.

    So i'm more than happy that companies will concentrate on spamming us citizens in america rather than those in Europe.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019