Page Loader
Flaw in Facebook quiz app exposed data of 120mn users

Flaw in Facebook quiz app exposed data of 120mn users

Jun 29, 2018
03:14 pm

What's the story

It has been found that a quiz app on Facebook called "NameTests" had a flaw which allowed anyone to access personal information of its over 120 million users. The German company behind NameTests called "Social Sweethearts" has developed popular Facebook quizzes like "Which Disney Princess Are You?" This means anyone who took NameTests' quizzes was vulnerable to the security flaw.

Details

Data was publicly available to any third-party who requested it

Security researcher Inti De Ceukelaire first discovered the issue. He noticed his information like name, country, birthday, gender, and age loaded on NameTests' website in a JavaScript file without any encryption, and could be easily obtained by third parties. To prove the problem, he set up a website that extracted Facebook data like photos and friend lists of any visitor who has used NameTests.

Background

Facebook's handling of data leaks and security breaches under scrutiny

This comes in the wake of the recent Facebook-Cambridge Analytica scandal, in which personal information of 87 million users was collected to allegedly manipulate voters ahead of the 2016 US Presidential elections. Later in an audit, Facebook suspended 200 potentially problematic third-party apps. However, the current issue is a case of a security flaw on NameTests' website and not of Facebook's weak policies.

Solution

Facebook handled the issue through its Data Abuse Bounty Program

De Cuekelaire reported the bug to Facebook via its Data Abuse Bounty Program in April, and the issue was fixed in June. "We worked with nametests.com to resolve the vulnerability on their website," said Facebook. De Cuekelaire was offered $4,000 as the bug bounty, which he asked to donate to the Freedom of the Press Foundation. Facebook matched the donation to make it $8,000.

Quote

No evidence that personal data was exposed, misused: Social Sweethearts

Social Sweethearts' data protection officer Thomas Schwenke said, "The investigation found that there was no evidence that personal data of users was disclosed to unauthorized third parties and that it had been misused. Data security is taken very seriously at Social Sweethearts."