HOT ON THE HEELS of the Cambridge Analytica scandal, it's emerged that another rogue Facebook quiz app has exposed the personal data of up to 120 million users.
NameTests, which accessed personal data through the Facebook API, had a serious flaw in its website. Names, dates of birth, posts, statuses, pictures and friend lists of those taking part in online quizzes were all readily accessible, according to ethical hacker Inti De Ceukelaire, who goes by the Twitter tag @securinti. The data could be compromised even after the apps had been deleted.
The code also included a token giving access to all to all data the quiz application had access to, including photos, Facebook posts and lists of friends, De Ceukelaire said in a blog post.
De Ceukelaire reported the vulnerability to Facebook on 22 April, but a month later the social media firm told him it could take three to six months to investigate the issue. However, on 25 June he noticed that NameTest had fixed the vulnerability, and the firm told him it had found no evidence of abuse by a third party.
The flaw appears to have existed since the end of 2016. NameTests has more than 120 million active monthly users so a considerable amount of personal data could potentially have been syphoned off and used for who knows what.
"Abusing this flaw, advertisers could have targeted (political) ads based on your Facebook posts and friends. More explicit websites could have abused this flaw to blackmail their visitors, threatening to leak your sneaky search history to your friends," De Ceukelaire wrote.
On 27 June, Facebook contacted De Ceukelaire confirming the existence of the vulnerability and saying it was now fixed. On De Ceukelaire's request, it donated $8,000 to the Freedom of the Press Foundation as part of the data abuse bounty programme.
While there is no evidence that any personal data was abused as a result of the glitch, De Ceukelaire said that accessing the information was "easy". The real scandal is that a tech company as sophisticated as Facebook apparently views the security of third-party apps using its API as a minor concern. µ
Firm quietly closes down hardware initiatives launched following Windows 8
Another day, another Trump trip-up
So-called 'Beyond X' will be firm's highest-spec Galaxy smartphone yet
Val-deri, val-dera, my cutting edge mapping sensors on my back