A hacker has found that a Facebook quiz has exposed the information of more than 120 million monthly users— even after they deleted the app.
Inti De Ceukelaire, a hacker at Securinti, wrote in a Medium post that Nametests.com, the website behind the quizzes, recently fixed a flaw that publicly exposed the information.
De Ceukelaire started looking for data abusers on Facebook’s platform after the company announced a data abuse bounty on April 10. He started his search with quizzes, since those were among the most popular apps.
Upon taking his first quiz from Nametests.com, he quickly realized it was exposing Facebook users’ data to “any third-party that requested it.”
In addition, the quiz was providing an access token that allowed it to grant even more expansive data access permissions to third party websites, including users’ Facebook posts, photos and friends.
He also added that after notifying Facebook of his discovery, the social media giant donated $8,000 to the Freedom of the Press Foundation as part of their Data Abuse Bounty Program upon his request.
While Facebook has declined to answer specific questions about the quiz, it did release this statement: “A researcher brought the issue with the Nametests.com website to our attention through our Data Abuse Bounty Program that we launched in April to encourage reports involving Facebook data. We worked with Nametests.com to resolve the vulnerability on their website, which was completed in June,” wrote Ime Archibong, VP of product partnerships.
But Nametests’ parent company, German company Social Sweethearts, denies any breach even occurred, with the company’s data protection officer stating to reporters, “I would like to inform you that the matter has been carefully investigated. The investigation found that there was no evidence that personal data of users was disclosed to unauthorized third parties, and all the more that there was no evidence that it had been misused. Nevertheless, data security is taken very seriously at Social Sweethearts and measures are currently being taken to avoid risks in the future.”