Facebook Quiz App Exposes the Data of 120 Million Users

Facebook

Are you really surprised at this point?

Facebook’s been in hot water over this stuff for a while. Back in March, it all began with Cambridge Analytica purchasing user data from the professor running the quiz app thisisyourdigitallife. And the hits just keep on coming, because an ethical hacker by the  name of Inti De Ceukelaire has exposed a breach in what’s being called the NameTests security flaw.

On Wednesday last week, he detailed exactly how the whole thing works:

In the light of the Cambridge Analytica scandal, Facebook tried to clean up its act by launching their data abuse bounty program. Being a participant in their Bug Bounty Program, I got triggered and decided to give it a shot. I scrolled through my timeline and noted down all apps my friends were using. Fitness trackers and Facebook Quizzes topped my list. The latter have been heavily criticised for their massive data harvesting and data-greedy permissions, so for the first time in my life, I took a Facebook Quiz.

Upon closer investigation, I noticed something strange.

While loading a test, the website would fetch my personal information and display it on the webpage. Here’s where it got my personal information from:

http://nametests.com/appconfig_user

That Javascript file was accessible to anyone that knew it was there. And it contains a fair amount of info: your name, photos, date of birth, friends, and so on. Any website could put in a token to have access to that data for up to 2 months. De Ceukelaire  gives an example of a shady site that a user who has take the quiz visits:

I would imagine you wouldn’t want any website to know who you are, let alone steal your information or photos. Abusing this flaw, advertisers could have targeted (political) ads based on your Facebook posts and friends. More explicit websites could have abused this flaw to blackmail their visitors, threatening to leak your sneaky search history to your friends.

De Ceukelaire submitted the issue to Facebook’s bounty program, but they were incredibly slow to respond. What’s more, they framed the whole thing as a voluntary announcement, when they’d actually been made aware of the issue for some time. needless to say, while De Ceukelaire goes into far more depth on the Medium post linked above, he did detail some steps you can take to protect your data:

  • Delete apps you’re not using
  • Be careful about granting apps access to your data
  • Delete your cookies on the reg
READ:  After Rebranding As Meta, Facebook Has Lost $500 Billion

Oh, and my suggestion:

  • Don’t use those stupid Facebook quiz apps in the first place
Source: Gizmodo

About Author

B. Simmons

Based out of Glendale California, Bryan is a GAMbIT's resident gaming contributor. Specializing in PC and portable gaming, you can find Bryan on his 3DS playing Monster Hunter or at one of the various conventions throughout the state.

Learn More →