Ethical hacker Inti De Ceukelaire published an article in Medium on Wednesday detailing how he found a security loophole in a popular maker of Facebook personality quizzes. In the wake of the Cambridge Analytica scandal, Facebook announced the launch of a bounty program in April, designed to reward people for flagging the misuse of data by app developers.
De Ceukelaire was one of those who began investigating, starting with personality quizzes created by Nametests.com, which claims to have more than 120 million users. He noticed while loading a quiz that the website was fetching his personal Facebook information via Nametests, meaning his data was publicly available to third parties.
De Ceukelaire ran a test to see how easy it would be to steal someone’s personal data by setting up a website to connect to Nametests.com. He ascertained that one visit to the website would provide access to someone’s personal Facebook data for up to two months. Even if someone deleted the app, Nametests could still reveal their identity.
According to De Ceukelaire, depending on which quizzes a user took, a huge amount of user data could have been leaked, including their Facebook ID, first name, last name, language, gender, date of birth, profile picture, cover photo, currency, devices you use, when your information was last updated, posts and statuses, photos and friends.
If someone deleted the app, their Facebook ID, first name, last name, language, gender, and date of birth were all still vulnerable. He noted the only way to prevent this would be by manually deleting all your cookies.
In his piece, De Ceukelaire writes that while Nametests has more than 120 million active monthly users, there’s no way of knowing how many people could have been affected since its launch in 2015. According to archive.org, the flaw had been present in the site’s code since at least the end of 2016, he said.
In a statement sent to Business Insider, the Data Protection Officer for Nametests’ developer Social Sweethearts said: “The investigation found that there was no evidence that personal data of users was disclosed to unauthorised third parties and all the more that there was no evidence that it had been misused.”
De Ceukelaire decided to donate his bounty of $4,000 to the Freedom of the Press Foundation, which Facebook matched for a total of $8,000.
Ime Archibong, Facebook’s vice president of product partnerships, said: “A researcher brought the issue with the Nametests.com website to our attention through our Data Abuse Bounty Program that we launched in April to encourage reports involving Facebook data. We worked with nametests.com to resolve the vulnerability on their website, which was completed in June.”