Flaw in Facebook quiz app exposed data of 120mn users

Security researcher Inti De Ceukelaire first discovered the issue.

He noticed his information like name, country, birthday, gender, and age loaded on NameTests' website in a JavaScript file without any encryption, and could be easily obtained by third parties.

To prove the problem, he set up a website that extracted Facebook data like photos and friend lists of any visitor who has used NameTests.

This comes in the wake of the recent Facebook-Cambridge Analytica scandal, in which personal information of 87 million users was collected to allegedly manipulate voters ahead of the 2016 US Presidential elections.

Later in an audit, Facebook suspended 200 potentially problematic third-party apps.

However, the current issue is a case of a security flaw on NameTests' website and not of Facebook's weak policies.

De Cuekelaire reported the bug to Facebook via its Data Abuse Bounty Program in April, and the issue was fixed in June.

"We worked with nametests.com to resolve the vulnerability on their website," said Facebook.

De Cuekelaire was offered $4,000 as the bug bounty, which he asked to donate to the Freedom of the Press Foundation. Facebook matched the donation to make it $8,000.