Popular Facebook quiz app exposed data on more than 120 million users | Tech News

If you tried to find out what Disney Princess you were on Facebook years ago, you might have given up more than your name. 

A security researcher found that a popular quiz Facebook app called “Nametests” had a flaw that allowed anybody to pull up information on more than 120 million people, even after the app was deleted. 

The flaw echoes Facebook’s privacy issues as it continues to deal with the fallout from its Cambridge Analytica scandal. The data analytics firm had also used a personality quiz to obtain data on 87 million Facebook users without their permission. 

Unlike Cambridge Analytica, this flaw wasn’t through Facebook — the security issue was with flawed coding on Nametests’ website.

Facebook addressed the issue with a post on its Bug Bounty page, writing that Facebook has worked with Nametests’ developers Social Sweethearts to address the vulnerability. The popular quiz app has more than 120 million monthly active users.

“A researcher brought the issue with the nametests.com website to our attention through our Data Abuse Bounty Program that we launched in April to encourage reports involving Facebook data. We worked with nametests.com to resolve the vulnerability on their website, which was completed in June,” Ime Archibong, Facebook’s vice president of partner products, said in a statement.

Inti De Cuekelaire detailed his discovery in a Medium post, writing that he had found it as part of Facebook’s new Data Abuse bug bounty program Facebook’s new Data Abuse bug bounty program, which launched in April. 

He noticed his personal information loaded on Nametests’s website without any encryption or security, and the data was publicly available to anyone with the link. The data showed his name, the country he was from, his birthdate, his gender and his age.

“I was shocked to see that this data was publicly available to any third-party that requested it,” Cuekelaire wrote in his post. “In a normal situation, other websites would not be able to access this information.”

He then set up a website that could get information on anyone who visited it if they had used NameTests in the past. Through that webpage, he was able to load data on a visitor’s private photos, status updates and friends. 

Nametests’ developers, Social Sweethearts, said it has fixed the flaw after they “carefully investigated” the issue.

“The investigation found that there was no evidence that personal data of users was disclosed to unauthorized third parties and all the more that there was no evidence that it had been misused,” the company’s data protection officer Thomas Schwenke said in a statement. 

Social Sweethearts did not provide any evidence to back that claim.

Cuekelaire said he reported the bug on April 22, and it was fixed on June 25, more than a month later. Facebook offered the researcher $4,000 for the bug bounty, and he instead asked to donate it to the Freedom of the Press Foundation. Facebook matched the donation to make it $8,000. 

The flaw highlights Facebook’s problems with third-party apps, even as the social network looks to buckle down on them after data abuse from Cambridge Analytica. Facebook has already deleted about 200 apps in its data misuse investigation, but privacy flaws continue to find a way to surface.