(Screencap from NameTests website)

When it rains, it pours. Facebook is still recovering from the massive crisis brought by the Cambridge Analytica scandal and yet another data leak exposé is hounding the social networking site.

TechCrunch reported that Facebook-quizz developer NameTests exposed information of about 120 million users albeit “accidentally.” Users have been warned that some of these fraudulent quizzes might be harvesting their data and activities then sell them to a third party, which can be used for illegal purposes.

In a Medium post, a “hacker” named Inti De Ceukelaire explains how the quizzes might be collecting “names, birthdays, photos, and friend lists and displaying them in a JavaScript file” even after the social networking site already deleted the app.

De Ceukelaire writes: “One of the basic principles of javascript is that it can be shared with other websites. Since NameTests displayed their user’s personal data in javascript file, virtually any website could access it when they would request it.”

Facebook is doing a major purging after the immense pressure brought by the Cambridge Analytica scandal. According to TechCrunch, it has deleted over 200 malicious apps and quizzes from the thousands it reviewed.

Testing the test

De Ceukelaire claims to be a participant of Facebook’s Bug Bounty Program, which “inspired” him to “test” the”Which Disney Princess Are You?” quiz. That is how he learned that his data are publicly available “to any third party that requested it.” He says web browsers have the ability to prevent other websites from harvesting user data. But in this case, the app or quiz “wrapped” the data into javascript, “an object-oriented computer programming language commonly used to create interactive effects within web browsers.”

De Ceukelaire says that by abusing this flaw, third parties could use the user information not just for targeted commercial ads but also political ads based on their Facebook behavior.

“More explicit websites could have abused this flaw to blackmail their visitors, threatening to leak your sneaky search history to your friends,” he says.

He offers a bit of an advice: “In order to prevent this from happening, the user would have had to manually delete the cookies on their device, since NameTests.com does not offer a log out functionality.”

De Ceukelaire says he reported this to Facebook in April. He followed up the next month after he noticed that nothing had been done to his discovery. He was informed that a team is looking into it. His persistence bore fruit when he noticed on June 25, “NameTests had changed the way they process data. Third-parties could no longer access its users’ personal information.”

The hacker contacted Facebook and asked that the company donate his Bug Bounty Program to Freedom of the Press Foundation, which Facebook doubled to $8,000 because he chose to give it to charity.