He found a privacy breach. Facebook gave him a grant to plug the leak.

Alan Mislove, an associate professor of computer and information science, recently received a grant from Facebook. Photo by Matthew Modoono/Northeastern University

Faced with a barrage of negative publicity about personal information leaks, Facebook has announced a new Secure the Internet grant program to fund research aimed at plugging those leaks.  

One of the 10 grants went to Northeastern cybersecurity expert Alan Mislove, an associate professor of computer and information science.

Earlier this year, Mislove and his graduate student Giridhari Venkatadri published a study showing how a feature on Facebook’s advertising platform allows information hackers to obtain your phone number. This is significant because a person’s phone number can be used as the first step in schemes to steal other personal data.  

Photo by Matthew Modoono/Northeastern University

Mislove noted that Facebook quickly adopted the temporary fix he proposed and has now awarded him a $60,000 grant to develop a more robust way to fix the problem.

“The Facebook security team has been very responsive,” said Mislove. “I also want to emphasize that this doesn’t just apply to Facebook. Several other large internet companies including Google, Instagram, Twitter, Pinterist, and LinkedIn offer advertising services that have similar features. Facebook’s is just the most mature, and was the one we studied the most.”

The leak is the product of a relatively new feature to Facebook’s advertising system known as “custom audiences.”

Traditional advertising on Facebook is based on demographics—the company that wants to place an ad sets parameters for a variety of attributes such as age, income, education, geography, and political party. Then Facebook identifies users who fit that profile and send them ads.

But the appeal of custom audiences is based on the premise that it’s easier to sell to your current customers than to find new ones. The way it works is pretty straightforward: the company compiles a list of their own customers they want to receive the ad. This can be their entire customer list or a subset based on demographics and buying patterns. Facebook then matches that list with their own user base and sends ads to all of the people on the company’s list who are also Facebook users.

Photo by Matthew Modoono/Northeastern University

It’s a rather benign service. But Mislove uncovered a way that malicious advertisers can exploit this system to obtain personal information that neither Facebook nor their users intends to disclose.

“With just an email address, it takes about 20 minutes to infer a person’s phone number,” said Mislove, who lays out the details of how the breach works in his paper. “This can be used to get the phone numbers and other information for celebrities and politicians.”

But the security risk goes far beyond an unwanted phone call. Because phone numbers are typically one of the elements in a two-factor authentication system—and the other element can often be gleaned from other public databases—a leaked phone number can constitute a serious breach for both the person and his or her business.

By using a system known as “phone porting,” hackers can potentially use that information to take over your phone account, which gives them access to a wide range of personal data.

“The victim’s phone number becomes the weakest link in their personal security,” said Mislove. “It can set the stage for a much larger information attack.”