Hacked

“NameTests” Facebook Quiz Exposed Personal Data Of 120 Million Users For Years

When Facebook-Cambridge Analytica scandal started blazing up headlines, many Facebook critics and security experts called it just a beginning. That prophecy is turning out to be accurate as a dubious quiz application, named NameTests, has ended up exposing data of about 120 million users for years.

As per Inti De Ceukelaire, the security researcher who uncovered the leak, this incident affects almost every American Facebook user. The hacker spotted this screwup when he came across Facebook’s Data Abuse Bounty program, which was launched as a part of the cleanup act after CA scandal.

Ceukelaire writes that he recorded all the apps his friends were using and found Facebook quizzes to be the fishiest ones. To his surprise, the NameTests quiz was displaying the participant’s personal information in JavaScript. As a result, any website could access the same upon making a request.

He verified the same by setting up a fresh website and connected it to NameTests Facebook quiz and tried to steal information about the site’s visitors. Moreover, NameTests also provided access tokens to the websites that would let them access the user’s posts, friends list, posts, etc.

Here’s a video demo of the same:

NameTests even continued sharing the personal data after deleting the app. For a complete cleaning up, the user had to manually erase cookies stored on the device.

On April 22nd, Ceukelaire reported the NameTests data leak issue to Facebook’s Data Abuse program; it got resolved just a few days ago. The company paid $8000 bug bounty to a charity as per his request.

Data Abuse Bounty report results in fixed third-party bug We wanted to call out a fix by nametests.com that happened…

Posted by Facebook Bug Bounty on Thursday, June 28, 2018

In response, NameTests told him that there is no evidence of any kind of data abuse by any third party. It’s worth noting that NameTest kept working with various partners that display advertisements based on user data, as per their privacy policy. Go figure!

To Top

Pin It on Pinterest

Share This