Weeks after the Cambridge Analytica scandal rocked the world, another Facebook app has been found leaving user data unsecured. Popular quizzing app NameTests has been found to have exposed the personal data of about 120 million users.
As reported by security researcher Inti De Ceukelaire in a Medium post, the NameTests quizzes are created by a German app maker Social Sweethearts, known for quizzes like ‘Which Disney Princess Are You?’ or ‘What Age Do You Look’ that are insanely popular on Facebook. If you or anyone you know has answered one of these eye-grabbing quizzes then your data may have been exposed.
NameTests has about 120 million monthly users taking its quizzes and Ceukelaire says an underlying JavaScript file siphoned off personal Facebook data such as user’s Facebook ID, first and last name, languages spoken, gender, date of birth, photos, friend lists, devices, along with posts and status updates. This is pretty much everything Facebook has on you. Ceukelaire says the data had been exposed since at least 2016 and could’ve easily been grabbed by anyone who had access to the backdoor.
He further decided to set up a website that requested all the data NameTests pulled from users taking one of its quizzes and stored their data in the aforementioned JavaScript file. This helped him make the surprising discovery that you only had to take one quiz to give access to all your Facebook info to the quiz maker for 2 months. Ceukelaire even has evidence of the process right here:
Ceukelaire contacted Facebook in April and spoke to them multiple times and Facebook’s Data Abuse Program is supposedly actively working to address such complaints. NameTests just recently fixed the issue and the security researcher was awarded $4000 bug bounty by Facebook, which was doubled when he donated it to charity, for discovering the loophole.
In addition, in a statement to TechCrunch, Social Sweethearts’ data protection officer has denied any misuse of the exposed data. The app maker also issued an official statement, which says,
“Our investigation found that there was no evidence that personal data of users was disclosed to unauthorized third parties and all the more that there was no evidence that it had been misused. Nevertheless, data security is taken very seriously at Social Sweethearts and measures are currently being taken to avoid risks in the future.”
Facebook is currently under scrutiny from all sides – be it the Congress or EU and it needs to make the users feel safe, instead of thinking of new data leaks every other day. We just get the feeling there are a lot more apps and quizzes which have done this over the years and NameTests is just one of them.
The question facing many users is what to do if you have ever answered one of these quizzes, and the app is no longer on Facebook. In that case, you are out of luck, especially if you want to use Facebook for any amount of time.
