FB Unearths Another Data Leak of 120 Million Users by Quiz App - NameTests

After the famous Cambridge Analytica scandal, Facebook has again made into the headlines after it was discovered that a popular quiz app, called NameTests, have been exposing their user’s private data for years. The company has been found to have exposed the personal information of as many as 120 million Facebook users.

NameTests is managed by a German app maker named Social Sweethearts, that created popular social quizzes like “Which Disney Princess Are You?” and distributed them on Facebook. Just like any Facebook app, users had to sign up on the NameTests website and while doing so, the app asks for permission to fetch some necessary information about the user’s Facebook profile.

However, the researcher noticed that the website is leaking logged-in user’s details to the other websites that are opened in the same browser.

How did the leak happen?

NameTests website had a severe vulnerability because of which it was possible for other websites to access user's information. It was found out that the website has been storing user's data in Javascript files(which can be accessed by anyone visiting the website). In normal cases, it would not  have been possible for other websites to access the user’s information due to the browser’s CORS policy , but since the data is being stored is Javascript ,any website can connect to NameTests and mine the data of visitors using the app including photos, friend’s list, posts etc.

The researcher reported the flaw through Facebook’s Data Abuse Bounty Programme (which was launched in April) on April 22. Two months down the road, Facebook intimated the researcher that they had fixed the issue and also donated $8,000 to the Freedom of the Press Foundation as part of its Data Abuse Bounty Programme.

Ankush Johar, Director at Infosec Ventures, an organization that provides complete infrastructure security solutions for commercial and government clients of all sizes, said that this is not the first time that a third-party app has leaked users’ private data. Apart from the already declared and patched privacy controls, there isn’t much Facebook can do with such an incident as it’s the quiz website that has failed to store PII insecurely.

“Data is the new Oil, it's the most valued resource on the globe and Facebook lost a lot of it but the best way to find suck leaks is via a crowdsourcing and this is bug bounty programme by Facebook, is a proof. As for users, If a quiz app needs your friend list and liked pages, definitely one should be reluctant. One thing that a user must realize is that one’s security is in their own hands and they have to THINK BEFORE THEY CLICK!” said Johar.