How A Quiz App Exposed The Data Of 120 Million Users Without Facebook Knowing About It


Just when users thought that it was safe to go back on Facebook and that their data was secure, another stolen data violation may have happened again.

What Was Discovered About Quizzes On Facebook?

More than 120 million Facebook users may have had their private information exposed as a result of a quiz app. This news comes just a few months after it was revealed that Cambridge Analytics hijacked data from 87 million Facebook users.

The quizzes were supplied by NameTests, a media company. A flaw in the quizzes allows a user's information to be exposed and it could occur long after the app had been deleted. A user would have to delete cookies in order to stop the glitch. The flaw in the quizzes has been around since late 2016. 

How This Glitch Was Discovered And Tested

Security researcher Inti De Ceukelaire detected the issue by participating in the Bug Bounty Program launched by Facebook in the wake of the Cambridge Analytics scandal. Knowing that quizzes on the platform were often what Cambridge Analytics used to harvest data, he decided to try one.

"Upon closer investigation, I noticed something strange," he wrote on Medium. "While loading a test, the website would fetch my personal information and display it on the webpage. I was shocked to see that this data was publicly available to any third-party that requested it."

Typically, another website should not have been able to access private information on Facebook, such as photos, locations, and friends. To test this out, De Ceukelaire connected a website to NameTests to get information about a user. He used a secret key to gain access to a visitor's posts and other private information. De Ceukelaire said a single visit was all it took to be exposed.

Ramifications Of The Quiz Glitch

On April 22, De Ceukelaire said that he reported this violation to Facebook's Data Abuse Program. It is currently investigating the issue, which could take months. On June 27, Facebook donated $8,000 on De Ceukelaire's request to the Freedom of the Press Foundation.

"We appreciate Inti's work to identify this issue and Social Sweethearts' quick action to fix it on their site," Facebook wrote. "This is exactly why we launched our Data Abuse Bounty Program in April: to reward people for reporting potential problems."

De Ceukelaire also reached out to NameTests and received a response. NameTests reportedly said there was no evidence of abuse by a third party, and it will conduct tests to find the bugs.

ⓒ 2018 All rights reserved. Do not reproduce without permission.
Real Time Analytics