Nametests: Facebook quiz app publicly exposed personal data of 120 million users for years

• The data exposure was caused by a flaw which exposed users’ personal data even after the quiz app was deleted.
• The data collected by the app was accessible by any third-party.

Facebook has once again found itself in the middle of a data and privacy pickle. In the wake of the Cambridge Analytica scandal, the social media giant was forced to publicly apologise for its gross neglect of users’ privacy. The company made strenuous claims of having learnt from its mistakes, vowing to protects its users’ data better in the future.

However, despite the social media giant’s repeated promises of improving users’ data security, a new data exposure incident linked to the company was recently discovered.

A popular Facebook quiz app has been inadvertently exposing the personal data of around 120 million users for years.

Quiz app bug allowed complete data access

Nametests.com, the site behind the quizzes, collected a quiz taker’s personal data and displayed it in a JavaScript file that could be accessed by any website that requested for the data.

“I was shocked to see that this data was publicly available to any third-party that requested it,” self-proclaimed hacker Inti De Ceukelaire wrote in a blog. “In a normal situation, other websites would not be able to access this information. Web browsers have mechanisms in place to prevent that from happening.

“In this case however, the data was wrapped in something called javascript, which is an exception to this rule.”

Data accessible to all

Ceukelaire said that he set up a website to check how simple it would be for someone to steal the data collected by Nametests.com. He added that the quiz site provided him a secret key called an access token, which could be used to access a visitor’s Facebook posts, photos and friends for two months.

Nametests.com also revealed users’ identity even after they had deleted the quiz app.

“Abusing this flaw, advertisers could have targeted (political) ads based on your Facebook posts and friends. More explicit websites could have abused this flaw to blackmail their visitors, threatening to leak your sneaky search history to your friends,” De Ceukelaire added.

Data loss helps charity profit

De Ceukelaire said he reported the issue to Facebook’s Data Abuse Bounty program on April 22. A month later, Facebook was still investigating the issue, even as Nametests.com continued exposing users’ data.

On June 25, Nametests.com had fixed the issue which prevented third-parties from accessing users’ personal information.

Nametests told De Ceukelaire that they had not found any evidence that indicated that any third-party entities had abused the data, adding that the firm has implemented security measures to detect and avoid such bugs in the future.

Facebook donated $8,000 to the Freedom of the Press Foundation as part of its bug bounty. De Ceukelaire was slated to be awarded a $4,000 bounty, which he requested be donated to the Freedom of the Press Foundation.

Facebook matched the amount, donating double the bounty amount to the charity.

“I have mixed feelings about this one,” De Ceukelaire said. “I am glad both Facebook and NameTests cooperated and resolved the issue. On the other hand, we cannot accept that the information of hundreds of millions of users could have been leaked out so easily. We can and must do better.”