(Another) Facebook Quiz Exposed Data On 120M Users

A hacker has found that a Facebook quiz has exposed the information of more than 120 million monthly users— even after they deleted the app.

Inti De Ceukelaire, a hacker at Securinti, wrote in a Medium post that Nametests.com, the website behind the quizzes, recently fixed a flaw that publicly exposed the information.

De Ceukelaire started looking for data abusers on Facebook’s platform after the company announced a data abuse bounty on April 10. He started his search with quizzes, since those were among the most popular apps.

Upon taking his first quiz from Nametests.com, he quickly realized it was exposing Facebook users’ data to “any third-party that requested it.”

Specifically, Nametests was displaying the quiz taker’s personal data (such as full name, location, age, birthday) in a javascript file and potentially exposing the identify and other data to any external website they happened to visit.

In addition, the quiz was providing an access token that allowed it to grant even more expansive data access permissions to third party websites, including users’ Facebook posts, photos and friends.

“Depending on what quizzes you took, the javascript could leak your Facebook ID, first name, last name, language, gender, date of birth, profile picture, cover photo, currency, devices you use, when your information was last updated, your posts and statuses, your photos and your friends,” wrote De Ceukelaire, who believes the data has been publicly exposed since at least the end of 2016.

He also added that after notifying Facebook of his discovery, the social media giant donated $8,000 to the Freedom of the Press Foundation as part of their Data Abuse Bounty Program upon his request.

While Facebook has declined to answer specific questions about the quiz, it did release this statement: “A researcher brought the issue with the Nametests.com website to our attention through our Data Abuse Bounty Program that we launched in April to encourage reports involving Facebook data. We worked with Nametests.com to resolve the vulnerability on their website, which was completed in June,” wrote Ime Archibong, VP of product partnerships.

But Nametests’ parent company, German company Social Sweethearts, denies any breach even occurred, with the company’s data protection officer stating to reporters, “I would like to inform you that the matter has been carefully investigated. The investigation found that there was no evidence that personal data of users was disclosed to unauthorized third parties, and all the more that there was no evidence that it had been misused. Nevertheless, data security is taken very seriously at Social Sweethearts and measures are currently being taken to avoid risks in the future.”