(Screencap from NameTests website)
When it rains, it pours. Facebook is still recovering from the massive crisis brought by the Cambridge Analytica scandal and yet another data leak exposé is hounding the social networking site.
TechCrunch reported that Facebook-quizz developer NameTests exposed information of about 120 million users albeit “accidentally.” Users have been warned that some of these fraudulent quizzes might be harvesting their data and activities then sell them to a third party, which can be used for illegal purposes.
Facebook is doing a major purging after the immense pressure brought by the Cambridge Analytica scandal. According to TechCrunch, it has deleted over 200 malicious apps and quizzes from the thousands it reviewed.
Testing the test
De Ceukelaire says that by abusing this flaw, third parties could use the user information not just for targeted commercial ads but also political ads based on their Facebook behavior.
“More explicit websites could have abused this flaw to blackmail their visitors, threatening to leak your sneaky search history to your friends,” he says.
He offers a bit of an advice: “In order to prevent this from happening, the user would have had to manually delete the cookies on their device, since NameTests.com does not offer a log out functionality.”
De Ceukelaire says he reported this to Facebook in April. He followed up the next month after he noticed that nothing had been done to his discovery. He was informed that a team is looking into it. His persistence bore fruit when he noticed on June 25, “NameTests had changed the way they process data. Third-parties could no longer access its users’ personal information.”
The hacker contacted Facebook and asked that the company donate his Bug Bounty Program to Freedom of the Press Foundation, which Facebook doubled to $8,000 because he chose to give it to charity.