History has a tendency to repeat itself. Months after Cambridge Analytica, 120 million Facebook users could have their data accessed by malicious websites after a quiz company put data like name, gender, and even photos inside easily accessible Javascript. As Facebook continues auditing hundreds of third-party apps, hacker Inti De Ceukelaire shared how a security vulnerability on the quiz platform nametests.com could have exposed data of 120 million users.
Curious after the Cambridge Analytica scandal, Ceukelaire decided to take his very first Facebook quiz to use his hacking skills to see just how the third-party platform used his data. He used a platform most used by his Facebook friends, nametests.com, and took a quiz: “Which Disney Princess Are You?”
Using his hacking background, Ceukelaire followed the data and found his information inside easily accessible Javascript. The format of Javascript is designed to be shared, which means that any site that you visit after that test could access that data. The data include things like username, gender, friend lists. and shared posts.
The nature of Javascript means that someone who took the test would have to visit a malicious website for a data leak to occur, so the flaw doesn’t mean that data for all 120 million users of the platform was compromised. The easy accessibility of that data, however, is concerning, Ceukelaire says. As an example of just what could happen with that type of security flaw, a pornographic website could access a friend list and use that friend list to blackmail users with the threat of exposure, Ceukelaire suggested.
Once visiting that malicious webpage, data would be accessible for up to two months. Deleting nametests.com also doesn’t solve the issue — users also have to delete the cookies on the device to stop the data access.
As part of Facebook’s Data Abuse Bounty program, the vulnerability has now been corrected; Ceukelaire donated the reward to charity. Nametests says itdidn’t find anything suggesting the data was abused and says it put additional tests in to avoid similar data leaks in the future. Facebook also revoked all access to Nametests, which means users will have to grant the app permission again to continue using the quizzes.
But perhaps what is even more disconcerting is that after Cambridge Analatica, and after data researchers suggested that most Facebook quizzes exist to track your data, and after another quiz app was exposed, online quiz platforms can still say they have 120 million monthly users. Is finding out which Disney princess you are worth allowing another company to access your Facebook data?
Already take the quiz? Find out how to adjust your security settings here.