A Quiz App On Facebook Which Tells What Disney Princess You Are Accidentally Exposes N120M Users Data


© PCMAG.com   Facebook

A quiz app on Facebook that can tell you which Disney princess you have also been leaking the personal information of its 120 million users. The quiz app from Nametests.com was apparently storing the personal information of its users in a rather careless way; the data was circulating through a public Javascript file that other websites could theoretically access.

He Said:

"I was shocked to see that this data was publicly available to any third-party that requested it," said Inti De Ceukelaire, the Belgian security researcher who discovered the data leak.

On Wednesday, he published a post describing how the Javascript file might endanger the privacy of Nametests.com users. A third-party website could potentially exploit the Javascript file to see when incoming visitors have a Facebook profile. If the visitors do, the website could harvest details of the Facebook profiles, including name, age, birth date and gender.

De Ceukelaire demoed the threat by creating his own website that can fetch data from the quiz app's Javascript file. Any users of the quiz app who visited his website would not only get their Facebook data harvested but also their photos and friend's list too.

"It would only take one visit to our website to gain access to someone's personal information for up to two months," he wrote in his blog post. "I would imagine you wouldn't want any website to know who you are, let alone steal your information or photos."

De Ceukelaire reported the problem to the Facebook in April through the company's new bug bounty program, which was introduced in response to the Cambridge Analytica scandal.

Facebook said:

"This is exactly why we launched our Data Abuse Bounty Program in April: to reward people for reporting potential problems," Facebook said in a post about the flaw, which the company helped to fix.

"To be on the safe side, we revoked the access tokens for everyone on Facebook who has signed up to use this app. So people will need to re-authorize the app in order to continue using it," Facebook added.

The developers behind Nametests.com, Social Sweethearts, said it's also found no evidence that bad actors ever abused the flaw.

However, De Ceukelaire said the whole incident raises serious questions over how Social Sweethearts are handling the data of its users. He also noted that it took Facebook over two months before it finished its investigation and finally patched the flaw. During that time the quiz apps from Nametests.com were still up and running.

"I am glad both Facebook and NameTests cooperated and resolved the issue," he said in his blog post. "On the other hand, we cannot accept that the information of hundreds of millions of users could have been leaked out so easily. We can and must do better."

To protect yourself, De Ceukelaire recommends that you delete any apps from Facebook that you're no longer using.

Similar Stories

Latest Posts

Recommended For you