This study addresses a critical privacy vulnerability in mainstream social media platforms, where advertisers are permitted to target users based on sensitive attributes and subsequently access their profiles following user interactions—such as likes or comments—thereby violating the platforms’ stated privacy commitments. Through empirical testing on TikTok, Facebook, and Instagram, combined with a detailed analysis of platform policies, this work demonstrates for the first time that advertisers can exploit user engagement behaviors to identify individuals possessing specific sensitive characteristics, revealing a significant gap in current privacy protections. To mitigate the risk of inadvertent privacy disclosure, the paper proposes interface design enhancements that improve user transparency and control over their data in targeted advertising contexts.

Popular social media platforms TikTok, Facebook and Instagram allow third-parties to run targeted advertising campaigns on sensitive attributes in-platform. These ads are interactive by default, meaning users can comment or ``react'' (e.g., ``like'', ``love'') to them. We find that this platform-level design choice creates a privacy loophole such that advertisers can view the profiles of those who interact with their ads, thus identifying individuals that fulfill certain targeting criteria. This behavior is in contradiction to the promises made by the platforms to hide user data from advertisers. We conclude by suggesting design modifications that could provide users with transparency about the consequences of ad interaction to protect against unintentional disclosure.