• Home
  • News
  • Artificial Intelligence
  • Internet of Things
  • Open Source
  • Hardware
  • Software
  • Security
  • Whitepapers
  • Data Strategy Spotlight
  • Newsletters
  • Whitepapers
    • Inqlogo 120x194
      Five things you should look for in choosing a Testing provider

      Choosing a Testing Partner can be complex.  So what do you look for?  This guide offers insight into the qualities you must look for in choosing a Testing provider.  Download now to learn more.

      Download
      Inqlogo 120x194
      Your questions answered: How to protect your data in the cloud

      The number of successful cyberattacks per year per company has increased by 46% over the last four years. But what really needs to be considered when exploring a solution? What questions need to be asked? Download to find out...

      Download
      Find whitepapers
      Search by title or subject area
      View all whitepapers
  • Follow us
    • RSS
    • Twitter
    • LinkedIn
    • Newsletters
    • Facebook
    • Google+
    • YouTube
  • Newsletter
  • Industry Voice
  • Data Strategy Spotlight
The Inquirer
The Inquirer
  • Home
  • News
  • Artificial Intelligence
  • Internet of Things
  • Open Source
  • Hardware
  • Software
  • Security
  • Trending
  • MWC 2019
  • Article 13
  • AMD Radeon VII
  • Galaxy S10
  • Nvidia GTX 1660 Ti 
The Inquirer
  • Security

Another rogue Facebook quiz app exposed the data of 120 million users

Cambridge Analytica may have been the tip of the iceberg

Another rogue Facebook quiz app exposed the data of 120 million users
Another rogue Facebook quiz app exposed the data of 120 million users
  • John Leonard
  • John Leonard
  • @_JohnLeonard
  • 29 June 2018
  • Tweet  
  • Facebook  
  • Google plus  
  •  
  •  
  • Send to  
0 Comments

HOT ON THE HEELS of the Cambridge Analytica scandal, it's emerged that another rogue Facebook quiz app has exposed the personal data of up to 120 million users. 

NameTests, which accessed personal data through the Facebook API, had a serious flaw in its website. Names, dates of birth, posts, statuses, pictures and friend lists of those taking part in online quizzes were all readily accessible, according to ethical hacker Inti De Ceukelaire, who goes by the Twitter tag @securinti. The data could be compromised even after the apps had been deleted.

De Ceukelaire, who had been participating in the bug bounty programme set up by Facebook after the Cambridge Analytica scandal broke, found that on participating in a Facebook quiz, his name, age and country were embedded in JavaScript, which could be loaded from other sites and thereby stolen at this endpoint URL: https://nametests.com/appconfig_user/.

The code also included a token giving access to all to all data the quiz application had access to, including photos, Facebook posts and lists of friends, De Ceukelaire said in a blog post. 

De Ceukelaire reported the vulnerability to Facebook on 22 April, but a month later the social media firm told him it could take three to six months to investigate the issue. However, on 25 June he noticed that NameTest had fixed the vulnerability, and the firm told him it had found no evidence of abuse by a third party.

The flaw appears to have existed since the end of 2016. NameTests has more than 120 million active monthly users so a considerable amount of personal data could potentially have been syphoned off and used for who knows what.

"Abusing this flaw, advertisers could have targeted (political) ads based on your Facebook posts and friends. More explicit websites could have abused this flaw to blackmail their visitors, threatening to leak your sneaky search history to your friends," De Ceukelaire wrote.

On 27 June, Facebook contacted De Ceukelaire confirming the existence of the vulnerability and saying it was now fixed. On De Ceukelaire's request, it donated $8,000 to the Freedom of the Press Foundation as part of the data abuse bounty programme.

While there is no evidence that any personal data was abused as a result of the glitch, De Ceukelaire said that accessing the information was "easy". The real scandal is that a tech company as sophisticated as Facebook apparently views the security of third-party apps using its API as a minor concern. µ

Further reading

  • Communications
Facebook, Google and Microsoft accused of breaching GDPR with 'unethical' user manipulation
  • 28 Jun 2018
  • Communications
Facebook changes its mind on crypto ads, decides they're OK
  • 27 Jun 2018
  • Broadband
Facebook's Project Aquila comes back down to earth as the social network shuts it down
  • 27 Jun 2018
  • Security
Facebook accidentally sends dev reports to software testers
  • 25 Jun 2018
  • Tweet  
  • Facebook  
  • Google plus  
  •  
  •  
  • Send to  
  • Topics
  • Security
  • Facebook
  • cambridge analytica
  • Social Media
  • Privacy
  • Security

INQ Latest

Google Updates: Bye-bye Fit for web, no more forced arbitration and I/O ballot open
Google Updates: Bye-bye Fit for web, no more forced arbitration and I/O ballot open

It's the week in Google

  • Software
  • 22 February 2019
O2 has plans for 5G in four UK cities this year
O2 has plans for 5G in four UK cities this year

You can probably guess which

  • Cellular
  • 22 February 2019
Nvidia's GTX 1660 Ti brings Turing power to gamers on a budget
Nvidia's GTX 1660 Ti brings Turing power to gamers on a budget

GPU is available in Blighty now for £260

  • Graphics
  • 22 February 2019
Microsoft might bring Xbox Games Pass to the Nintendo Switch
Microsoft might bring Xbox Games Pass to the Nintendo Switch

Move could bring Halo and Gears of War to the hybrid console

  • Numb Thumbs
  • 22 February 2019
Back to Top

Most read

Galaxy S10 price, release date and specs: S10, S10+ and S10e pre-orders begin
Galaxy S10 price, release date and specs: S10, S10+ and S10e pre-orders begin
iPhone 11 release date, specs and price: 2019 iPhones might offer reverse wireless charging
iPhone 11 release date, specs and price: 2019 iPhones might offer reverse wireless charging
CERN has made the original 1990s web browser available to play with
CERN has made the original 1990s web browser available to play with
Apple's folding iPhone patent shows a, er, Motorola Razr lookalike
Apple's folding iPhone patent shows a, er, Motorola Razr lookalike
Facebook will let Android users turn off its location data gobbling
Facebook will let Android users turn off its location data gobbling
  • Contact
  • Marketing solutions
  • Enterprise IT Events
  • About Incisive Media
  • Terms & conditions
  • Privacy policy
  • RSS
  • Twitter
  • LinkedIn
  • Newsletters
  • Facebook
  • Google+
  • YouTube

© Incisive Business Media (IP) Limited, Published by Incisive Business Media Limited, New London House, 172 Drury Lane, London WC2B 5QR, registered in England and Wales with company registration numbers 09177174 & 09178013

Digital publisher of the year
Digital publisher of the year 2010, 2013, 2016 & 2017