Another rogue Facebook quiz app exposed the data of 120 million users

Tweet
Facebook
Google plus
Send to

HOT ON THE HEELS of the Cambridge Analytica scandal, it's emerged that another rogue Facebook quiz app has exposed the personal data of up to 120 million users.

NameTests, which accessed personal data through the Facebook API, had a serious flaw in its website. Names, dates of birth, posts, statuses, pictures and friend lists of those taking part in online quizzes were all readily accessible, according to ethical hacker Inti De Ceukelaire, who goes by the Twitter tag @securinti. The data could be compromised even after the apps had been deleted.

De Ceukelaire, who had been participating in the bug bounty programme set up by Facebook after the Cambridge Analytica scandal broke, found that on participating in a Facebook quiz, his name, age and country were embedded in JavaScript, which could be loaded from other sites and thereby stolen at this endpoint URL: https://nametests.com/appconfig_user/.

The code also included a token giving access to all to all data the quiz application had access to, including photos, Facebook posts and lists of friends, De Ceukelaire said in a blog post.

De Ceukelaire reported the vulnerability to Facebook on 22 April, but a month later the social media firm told him it could take three to six months to investigate the issue. However, on 25 June he noticed that NameTest had fixed the vulnerability, and the firm told him it had found no evidence of abuse by a third party.

The flaw appears to have existed since the end of 2016. NameTests has more than 120 million active monthly users so a considerable amount of personal data could potentially have been syphoned off and used for who knows what.

"Abusing this flaw, advertisers could have targeted (political) ads based on your Facebook posts and friends. More explicit websites could have abused this flaw to blackmail their visitors, threatening to leak your sneaky search history to your friends," De Ceukelaire wrote.

On 27 June, Facebook contacted De Ceukelaire confirming the existence of the vulnerability and saying it was now fixed. On De Ceukelaire's request, it donated $8,000 to the Freedom of the Press Foundation as part of the data abuse bounty programme.

While there is no evidence that any personal data was abused as a result of the glitch, De Ceukelaire said that accessing the information was "easy". The real scandal is that a tech company as sophisticated as Facebook apparently views the security of third-party apps using its API as a minor concern. µ