Quiz App found leaking Facebook data of 120 million users as recently as last month

Another Cambridge Analytica in the making

  • Published: June 29, 2018 5:29 PM IST

Aleksandr Kogan’s ‘thisisyourdigitallife’ might not be the only app having exploited Facebook to harvest user data. A researcher discovered that a third-party app called NameTests left the data of 120 million Facebook users exposed to anyone who happened to find it. This raises further questions around Facebook’s ability to secure its system.

Facebook’s privacy scandal became a public matter early this year when it was revealed that a UK-based big data firm Cambridge Analytica used Kogan’s application to harvest Facebook user data illegally. During the hearing it was revealed that Facebook knew about this loophole and did not take preventive measures at the right stage. As the issue got played big time in the US Senate and led to suggestions about regulating big tech firms like Facebook, the social media giant started taking actions including restricting applications from accessing sensitive user data.

In an effort to prove itself trustworthy, Facebook has rolled out changes including suspension of 200 apps based on audit of third-party apps last month. It now seems there are more problems that Facebook will have to address in the coming months. The flaw with quiz app NameTests was demonstrated by ethical hacker Inti De Ceukelaire.

On Wednesday, De Ceukelaire described the process of reporting a flaw in the quiz app’s website to Facebook’s Data Abuse Bounty program. Since he had never personally tried a quiz app on Facebook, De Ceukelaire started looking at the apps his friends were using on the social media platform. He then decided to take his first quiz on NameTests app and trace how his data was being handled.

During this process, De Ceukelaire noticed that the website was fetching information from the URL and his personal data was transmitted in a JavaScript file that could be requested by any website that knew how to. The website running the quiz app was also found providing an access token that would allow any website to continue to access information regarding a user including their posts, photos and friends for up to two months.

“Depending on what quizzes you took, the JavaScript could leak your Facebook ID, first name, last name, language, gender, date of birth, profile picture, cover photo, currency, devices you use, when your information was last updated, your posts and statuses, your photos and your friends,” he wrote in a Medium post.

NameTests app may not have been designed with the intent of stealing user information and it may well be caused by negligence from its developer. But it further shows how apps and services on Facebook might still have exploits that can be used by hackers to collect Facebook user data.

Watch: Samsung Galaxy S9+ Video Review

Another discovery by De Ceukelaire is the inefficient handling of such reports via Data Abuse Bounty program. De Ceukelaire says he reported the issue on April 22 and received response from Facebook eight days later. On May 14, he checked to see if Facebook had contacted developers behind NameTests and the social media giant replied eight days later that it could potentially take three to six months to go through an investigation.

On June 25, De Ceukelaire noticed that NameTest had fixed the issue, but Facebook didn’t take actions immediately. Facebook seems to have taken at least a month to address the issue and force NameTests to fix the security hole. As part of reward for the bounty, NameTests agreed to donate $8,000 to the Freedom of the Press Foundation. The big question here is whether Facebook can continue to function at such snail’s pace when it comes to handling data of over 2.2 billion users. Maybe, we will hear another ‘Sorry’ from its CEO Mark Zuckerberg soon.

  • Published Date: June 29, 2018 5:29 PM IST