Facebook Quiz App Leaks Data of 120 Million Users Publicly

We have got another report about a Facebook related fail, as its popular application NameTests leaked data of over 120 million Facebook users publicly.

Facebook Fail – NameTests Quiz App Leaked Personal Data of Facebook Users

Another Facebook fail has put one more question to Facebook’s credibility. Ethical hacker and security researcher, Inti De Ceukelaire, discovered how a popular Facebook application ‘NameTests’ leaked users’ data. According to his findings, the app had a userbase of about 120 million, all of which was publicly available. The researcher shared his findings in a blog post on Medium.

According to De Ceukelaire, NameTests leaked data online for several years. However, this was not a deliberate move, rather a flaw in NameTests’ website coding. When the researcher tried this app himself, he found that the app displayed his profile information wrapped in JavaScript that anyone could share.

He states in his blog,

“One of the basic principles of JavaScript is that it can be shared with other websites. Since NameTests displayed their user’s personal data in the javascript file, virtually any website could access it when they would request it.”

To corroborate his findings, he created a website and linked it with NameTests. He found that the linked site could retrieve visitor’s data for the last two months. The data remains accessible even after the user deletes the app.

“NameTests would also provide a secret key called an access token, which, depending on the permissions granted, could be used to gain access to a visitor’s posts, photos, and friends. It would only take one visit to our website to gain access to someone’s personal information for up to two months.”

The researcher says that the only way to get rid of NameTests was to delete cookies manually. Otherwise, it’s not possible to log out of NameTests once a user logs in it through the Facebook profile. The leaked data includes Facebook ID, usernames, profile picture and cover photo, date of birth, location, gender, users’ posts, photos, and friends.

Facebook Has Fixed This Flaw

Inti De Ceukelaire discovered this vulnerability around two months ago. He informed Facebook about the flaw on April 22, 2018. However, Facebook replied to him that it would take them a few months to investigate the matter.

On June 25, 2018, he discovered that NameTests made some changes in their data processing so that no third party could access the data. However, until this time, NameTests continued to run in the usual way. He later contacted Facebook, informed them about the fix (which he confirmed from the NameTest’s Digital Protection Officer), and won a bounty of $8,000 for a charity.

Facebook has also uploaded a post about the entire incident.

Although NameTests confirms that they know of no abuse to this data. It is unclear if the data truly remained safe from malicious activities.

From the look of the things, NameTests seems to have failed in protecting its users’ data. Nonetheless, it is the primary responsibility of all Facebook users to ensure their profile security. Be wary of such apps while using Facebook, and the permissions you give to these apps. As evident from the recent incidence, you never know when a fun-filled activity becomes a resource for hackers.


Related posts

JetBrains GitHub Plugin Vulnerability Affects IntelliJ IDEs

Microsoft June 2024 Patch Tuesday Update Fixed ~50 Vulnerabilities

Upgrade Your PHP Installations for A Critical RCE Flaw Patch