Facebook Flaw Could Have Exposed Users’ Personal Info to Advertisers—or Russian Trolls.

Facebook says advertisers can’t see identifying information about the users they target. But a new study reveals how a set of clever ad buys could have revealed users’ phone numbers, email addresses, and other personal information—no hacking involved.

Facebook’s advertising tools let buyers reach highly targeted demographics. When a Russian troll farm promoted a bogus Second Amendment group, for example, it paid 48,305.55 Rubles to reach American adults who had liked pages relating to gun rights. Despite controversy over its advertising platform, Facebook has consistently assured users that it never gives out personally identifying information. But the study, presented at the Federal Trade Commission’s PrivacyCon last week, found that advertisers could have figured out users’ personal information through simple process of elimination.

“If not implemented carefully, the custom audience feature can inadvertently leak bits of information about users to advertisers,” the study, conducted by U.S., French, and German researchers found.

Facebook told The Daily Beast it fixed the flaw in December, when researchers came to them with their findings before the paper’s publication. The company paid the researchers a $5,000 bounty for finding the bug.

The now-fixed flaw kicked in when advertisers targeted two or more audiences. Facebook lets advertisers select an audience by its likes on Facebook, demographics, or more personally identifying information like zip code, phone number, or email address. After advertisers input that information, Facebook serves ads to people who meet the criteria. The social media giant does not intentionally disclose which users saw the ads.

But two overlapping ad buys were all it took to deanonymize users, the study found. If an advertiser paid to reach two audiences—adults in Boston, and people who liked McDonald’s, for example—Facebook would only count McDonald’s-loving Boston adults once when reporting how many people the ads had reached.

Malicious actors could put the system to more nefarious use. The researchers recruited 14 volunteers from the Boston area, and eight volunteers from France to test whether they could use different sets of overlapping ad buys to guess the volunteers’ phone numbers.

“For Boston, we create a total of 140 lists: two area codes (617 and 857), where phones of each area code have 7 digits we need to infer,” the researchers wrote. “Each list contains 1M phone numbers, all with a single digit in common.”

By cycling through different combinations of lists, “we are successfully able to infer the numbers of 11 of the 14 users in Boston, and of all 8 of the users in France. In the cases where we succeeded, we were able to infer each users’ phone number in under 20 minutes.”

When the system failed, it was because of incomplete information on the user end, not because of any safeguards in place by Facebook.

“We carefully examined the three users on whom the attack failed, and we found that one user had never provided their phone number to Facebook,” the researchers found, “while the other two users had actually provided multiple phone numbers to Facebook.”

In another experiment, the researchers tested whether they could de-anonymize volunteers with Boston area codes who clicked on their website, where they had installed a Facebook tool that tracks visitors. Some of the attempts failed because the volunteers had ad-blockers installed on their computers. But the researchers were able to find phone numbers for all but one of the remaining volunteers. (The failed attempt came from a user who’d provided multiple phone number to Facebook.)

It’s not just researchers who could have abused the security flaw. The researchers highlighted the potential for hackers or governments to mine Facebook’s ad tools for information.

“These attacks can be particularly devastating for user privacy,” the researchers wrote. “For example, they enable malicious users to infer the phone numbers of celebrities or politicians, allow oppressive governments to identify and intimidate citizens who dissent online, enable adversaries to easily identify users’ mobile numbers for purposes of ‘phone porting’ attacks, and allow website operators to de-anonymize users who visit websites that may contain embarrassing or censored content.”

Facebook said it initially disabled a “reach estimation” tool the researchers exploited, and recently restored it with new safety measures.

“We’re grateful to the researchers who brought this issue to our attention,” Facebook spokesperson Mike Manning told The Daily Beast. “We didn’t see any abuse of this complex technique, and have restored reach estimation on a limited basis now that we have added appropriate safeguards against potential abuse.”