A security failure in a popular quiz app on Facebook left millions of peoples data exposed for almost two years, a cybersecurity activist revealed Thursday.
The application, called Nametests.com, has run Facebook quizzes for years, but it left unprotected the personal data of Facebook users taking such a quiz on its website, allowing third parties to read and steal the data, the activist said.
The leak was discovered by Belgian hacker Inti de Ceukelaire, who published his findings in a blog post.
“There was a security leak at one of the most popular quiz apps that was accessible for at least two years,” De Ceukelaire told POLITICO. “I can only note that Facebook didnt see this.”
He added that the data exposed included pictures, status updates, friends lists and more.
If third parties had accessed the data, they would have simply monitored information on a webpage, making it incredibly difficult to trace or track if and how personal data leaked.
The leak was reported to Facebook in April as part of its “data abuse bounty” program launched in the wake of the Cambridge Analytica scandal. Facebook told the hacker it had paid $8,000 to the Freedom of the Press foundation upon his request, as a reward for finding the security issue.
According to De Ceukelaire, data became exposed as soon as a Facebook user launched a quiz run by Nametests.com. Popular quizzes on the service include “What tattoo should you get?”, “What 3 qualities are unique about you?” and “Enhance your profile picture beauty!”
Nametests.com is run by a German company called Social Sweethearts, which claims to have over 250 million registered users and reached over 3 billion page views per month.
Social Sweethearts said in a statement that “the matter has been carefully investigated” and it found “no evidence that personal data of users was disclosed to unauthorized third parties and all the more that there was no evidence that it had been misused.” It said it had fixed the vulnerability since hearing of it from Facebook.
De Ceukelaire said that if third parties had accessed the data, they would have simply monitored information on a webpage, making it incredibly difficult to trace or track if and how personal data leaked.
The service has been around since at least 2015, internet archives show, and De Ceukelaire said the vulnerability has existed since the end of 2016.
Basic security problem
Facebooks Vice President for Products and Partnership Ime Archibong said: “We worked with nametests.com to resolve the vulnerability on their website, which was completed in June.”
Critics argue this shows that, even after Facebook changed its conditions for applications to access data in 2015, the social media platform failed to properly police the access and security measures of apps, which could still access to substantial amounts of personal data on its platform.
Europes General Data Protection Regulation (GDPR), a sweeping update of privacy rules, came online May 25. EU officials previously said breaches can be addressed under GDPR rules if they persisted after May 25, likely in the case of this incident — though regulators probably would take into account that the issue existed long before the GDPR was fully implemented.
Facebook has suspended hundreds of apps and is further investigating these cases because of suspicion that data more leaked.
Asked how difficult it was to access personal information, the ethical hacker said: “This is basic stuff. Had [the app builder] done one security test it would have immediately come up.”
Paul-Olivier Dehaye, a privacy activist who has testified before the U.K. and European parliaments about Facebooks use of personal data, said: “It looks like Facebooks oversight of the app ecosystem didnt include technical policing of the security of the apps, but instead relied on contractual terms to take care of that aspect.”
Facebook is undergoing an audit of thousands of applications that had access to its data in past years, following the scandal involving political consulting firm Cambridge Analytica that was revealed in March and affected 87 million users.
It has suspended hundreds of apps and is further investigating these cases because of suspicion that more data leaked.