Flaw in Facebook quiz app exposed data of 120mn users
What's the story
It has been found that a quiz app on Facebook called "NameTests" had a flaw which allowed anyone to access personal information of its over 120 million users. The German company behind NameTests called "Social Sweethearts" has developed popular Facebook quizzes like "Which Disney Princess Are You?" This means anyone who took NameTests' quizzes was vulnerable to the security flaw.
Details
Data was publicly available to any third-party who requested it
Security researcher Inti De Ceukelaire first discovered the issue. He noticed his information like name, country, birthday, gender, and age loaded on NameTests' website in a JavaScript file without any encryption, and could be easily obtained by third parties. To prove the problem, he set up a website that extracted Facebook data like photos and friend lists of any visitor who has used NameTests.
Background
Facebook's handling of data leaks and security breaches under scrutiny
This comes in the wake of the recent Facebook-Cambridge Analytica scandal, in which personal information of 87 million users was collected to allegedly manipulate voters ahead of the 2016 US Presidential elections. Later in an audit, Facebook suspended 200 potentially problematic third-party apps. However, the current issue is a case of a security flaw on NameTests' website and not of Facebook's weak policies.
Solution
Facebook handled the issue through its Data Abuse Bounty Program
De Cuekelaire reported the bug to Facebook via its Data Abuse Bounty Program in April, and the issue was fixed in June. "We worked with nametests.com to resolve the vulnerability on their website," said Facebook. De Cuekelaire was offered $4,000 as the bug bounty, which he asked to donate to the Freedom of the Press Foundation. Facebook matched the donation to make it $8,000.
Quote
No evidence that personal data was exposed, misused: Social Sweethearts
Social Sweethearts' data protection officer Thomas Schwenke said, "The investigation found that there was no evidence that personal data of users was disclosed to unauthorized third parties and that it had been misused. Data security is taken very seriously at Social Sweethearts."