Remember when you took that little Facebook quiz that claimed to reveal “what type of beauty you possess”?
Or that funny photo app that turned you into a magazine cover model? Or maybe that test that told you what kind of “Game of Thrones” character suits you?
Admit it, you have taken a number of these Facebook tests, haven’t you?
Quizzes like these are some of the social media site’s most popular guilty pleasures. If all your Facebook friends are taking them, they’re probably OK, you might think.
Well, the Cambridge Analytica scandal reminded us how these seemingly harmless and fun quizzes and apps can be trojan horses for massive data collection.
Take this popular third-party Facebook quiz app, for example. It looks like it has been leaking user information for years!
Are you one of 120 million?
(No, this is not another silly quiz.)
NameTests, one of Facebook’s biggest quiz app platforms, has been publicly exposing the data of up to 120 million people for years, including names, birthdates, photos and status updates.
Security researcher Inti De Ceukelaire discovered the alarming flaw and reported it via Facebook’s new Data Abuse Bounty program. Note: This program was launched as part of Facebook’s ongoing crackdown on abusive third-party apps.
Now, unlike in the Cambridge Analytica case where the quiz developer willingly shared the data with the analytics firm, Nametest’s data leak was caused by a glitch on its website.
According to De Ceukelaire’s findings, each time someone takes a NameTests quiz, its website fetches the Facebook user’s personal information and displays it on a webpage.
The problem? This page was poorly configured and allowed anyone to access it.
“I was shocked to see that this data [were] publicly available to any third-party that requested it,” de Cuekelaire wrote in a blog post. “In a normal situation, other websites would not be able to access this information.”
The quiz that kept on giving
To prove how easy it was to steal someone’s personal information through the website, he set up his own webpage that connected to NameTests.com and fetched the data about each visitor.
Through his test website, he was able to harvest the private photos, friends list, status updates of each visitor who has used NameTests in the past, even after they’ve deleted the app from their Facebook account.
The NameTests website also provided a secret access token that gave him access to this information for up to two months.
According to de Cuekelaire, the flaw has been there at least since the end of 2016 and based on NameTests’ number of monthly users, it may have publicly exposed the information of more than 120 million people.
Watch the video below to see the NameTests website flaw in action:
Based on the de Cuekelaire’s timeline, he reported the flaw to Facebook on April 22.
On June 25, he noticed that NameTests have fixed the flaw and third parties could no longer access its users’ personal information.
And finally, on June 28, Facebook posted its official public statement regarding the NameTests flaw and confirmed that the fix was indeed in place.
Facebook also revoked the past NameTests access tokens for every Facebook user who used the app in the past.
For his efforts, Facebook awarded $4,000 to de Cuekelaire as part of the bug bounty program. He donated the amount to the Freedom of the Press Foundation instead, which Facebook promptly matched, bringing the total to $8,000.
Click here to read de Cuekelaire’s full blog post on Medium.
How Facebook third-party apps can be dangerous
As usual, despite Facebook’s ongoing crackdown, the NameTests flaw is yet more proof that third-party apps can expose your information without your knowledge!
Now, when you take that seemingly harmless quiz, app or game, please check its permissions diligently. If it’s asking for more than your basic public information, think twice before logging in and granting it access to your Facebook profile.
Here’s one more thing you need to know. Once you authorize a third-party app to access your Facebook data it can remain on your profile forever.
If you’re not auditing your third-party Facebook apps, they can be accessing your data for years without your knowledge!
So in the name of your security, it’s time to audit those third-party Facebook apps.