Maker of popular quiz apps on Facebook exposed personal data of 120 million users

A developer of Facebook quizzes under the brand NameTests has
been found to have exposed the personal information of as many
as 120 million Facebook users, according to a report from
TechCrunch
. The company behind NameTests, German
app maker Social Sweethearts, created popular social quizzes
like “Which Disney Princess Are You?” and distributed them on
Facebook, and it has around 120 million monthly users on the
platform. Self-described hacker Inti De Ceukelaire
wrote a Medium post yesterday
, outlining how the quizzes
were collecting Facebook information like names, birthdays,
photos, and friend lists and displaying them in a JavaScript
file, one that could be obtained easily by malicious third
parties.

Apparently, Ceukelaire attempted to contact Facebook about this
multiple times and was told the company would look into it. And
in the wake of the
Cambridge Analytica data privacy scandal
— in which tens of
millions of users had their personal information collected,
packaged, and sold to a third-party company — Facebook’s
handling of data leaks and security breaches is under
especially heavy scrutiny. Only months later, in June, did
Ceukelaire notice that NameTests had changed the way it
processed user data to close the leak.

There was no evidence the data was misused by a malicious
third party

In a statement given to TechCrunch, Social Sweethearts
said there was no evidence personal data was exposed to third
parties or that the data was ever misused. “As the data
protection officer of Social Sweethearts, I would like to
inform you that the matter has been carefully investigated,”
the statement reads, though it is not attributed to a named
individual. “The investigation found that there was no evidence
that personal data of users was disclosed to unauthorized third
parties and all the more that there was no evidence that it had
been misused. Nevertheless, data security is taken very
seriously at Social Sweethearts and measures are currently
being taken to avoid risks in the future.”

Facebook says it handled the issue through its Data Abuse
Bounty Program. “A researcher brought the issue with the
nametests.com website to our attention through our Data Abuse
Bounty Program that we launched in April to encourage reports
involving Facebook data. We worked with nametests.com to
resolve the vulnerability on their website, which was completed
in June,” said Ime Archibong, a vice president of product
partnerships at Facebook, in a statement given to
TechCrunch.

Regardless, as one of likely many companies that had
less-than-stellar security while operating on Facebook’s
platform, Social Sweethearts and its NameTests quizzes may just
be the first in a string of under-the-radar cases that
third-party auditors and security experts bring to Facebook’s
attention. Facebook said back in March, during the height of
the Cambridge Analytica scandal, that it would be auditing apps
on its platform to weed out data abuse, and in May, Facebook
said it had
suspended more than 200 such apps
in that investigation. It
doesn’t appear that NameTests would be flagged as a malicious
case of user data abuse, as it appears to have been an
accidental leak. Nonetheless, these types of situations don’t
bode well for the overall security of Facebook’s platform,
especially as users are now more wary of using any and all
third-party apps on the social network.

Leave a Reply

Your email address will not be published. Required fields are marked *