Nametests.com, a popular third-party website that offers various quizzes for Facebook users, put private data of about 120 million users at risk for years, a security researcher has disclosed.
Inti De Ceukelaire, an ethical hacker, demonstrated how the security loophole worked. He explained in a blog post that he was aiming to discover a flaw in the social network after Facebook introduced the Data Abuse Bounty programme in the wake of the
Cambridge Analytica data harvesting scandal.
De Ceukelaire focused on NameTests, which is a popular quiz app on the social network, only to discover that the website was fetching personal information of users from a URL and could be accessed by any website. The data was wrapped in a JavaScript progamme that could be shared by any other platform.
The hacker further pointed out that NameTests could identify users even after the application was deleted.
“I would imagine you wouldn’t want any website to know who you are, let alone steal your information or photos. Abusing this flaw, advertisers could have targeted (political) ads based on your Facebook posts and friends. More explicit websites could have abused this flaw to blackmail their visitors, threatening to leak your sneaky search history to your friends,” he wrote in a post.
Here’s a video demonstration of how the loophole worked.
Should you be worried?
De Ceukelaire said he has already alerted Facebook about the security loophole. “At my request, Facebook donated $8,000 to the Freedom of the Press Foundation as part of their Data Abuse Bounty Program,” he said in the post.
Responding to the researcher’s claim, Facebook said it has fixed the vulnerability and NameTest’s parent company — Social Sweethearts — has assured that there was no evidence of any personal data being exposed.
“It was reported by Inti De Ceukelaire and we worked with the app’s developer — Social Sweethearts — to address the website vulnerability he identified which could have affected Facebook information people shared with nametests.com. To be on the safe side, we revoked the access tokens for everyone on Facebook who has signed up to use this app. So people will need to re-authorize the app in order to continue using it,” Facebook said in a post.
“The investigation found that there was no evidence that personal data of users was disclosed to unauthorized third parties and all the more that there was no evidence that it had been misused. Nevertheless, data security is taken very seriously at social sweethearts and measures are currently being taken to avoid risks in the future,” a Social Sweethearts spokesperson told Gizmodo.