The latest chapter in Facebook’s data woes involves a quiz app that, until as recently as June, exposed the information of 120 million people who just wanted to know whether they were Cinderella or Elsa.
In a Medium post Wednesday, security researcher Inti De Ceukelaire described how a quiz app called NameTests left the data of its users vulnerable to third-party websites. According to De Ceukelaire, beginning as early as the end of 2016, NameTests collected Facebook users’ data when they opted to take a quiz, such as “Which Disney Princess Are You?” The app then displayed that data—including names, birthdays, photos, and friends lists—in Javascript files easily accessible by third-party websites.
De Ceukelaire writes, “Depending on what quizzes you took, the javascript could leak your Facebook ID, first name, last name, language, gender, date of birth, profile picture, cover photo, currency, devices you use, when your information was lasted updated, your posts and status, your photos and your friends.”
It’s not immediately clear whether any unauthorized parties accessed the data. De Ceukelaire says he “would be surprised if nobody else found this earlier,” since the flaw was “really easy to spot,” but NameTests said it found no evidence of abuse. (De Ceukelaire writes that the vulnerability could have been a “rookie programming mistake.”) But he says the data remained exposed even if people deleted the app. He writes, “In order to prevent this from happening, the user would have had to manually delete the cookies on their device, since NameTests.com does not offer a log out functionality.”
The company that runs NameTests, German app-maker Social Sweethearts, told Slate on Friday, “The matter has been carefully investigated. The investigation found that there was no evidence that personal data of users was disclosed to unauthorized third parties and all the more that there was no evidence that it had been misused.”
De Ceukelaire started communicating with Facebook about the issue on April 22. After some back-and-forth emailing, Facebook told him on May 22 that the investigation could take three to six months. It wasn’t until June 25 that he noticed NameTests had changed the way it processed data in order to protect it from third parties. Facebook told him on Wednesday—the day he published his blog post—that the issue was fixed, and that it had donated $8,000 to the Press Foundation as part of the Data Abuse Bounty Program, according to De Ceukelaire’s account.
Facebook told Slate on Friday, “A researcher brought the issue with the nametests.com website to our attention through our Data Abuse Bounty Program. … We worked with nametests.com to resolve the vulnerability on their website, which was completed in June.” The company also said that users can check whether their information was shared with any third-party apps by visiting this page.
Even if you don’t think you used it, it’s worth checking. I visited the page and clicked on the link to app settings. Under the “Removed” apps tab, I discovered that I had taken a NameTests quiz. I have zero recollection of this, and the page doesn’t indicate when I took it. I know only that the app was removed on Feb. 25, 2016—I think I purged it along with some other apps but don’t remember. When I clicked on “View details,” a message box appeared, explaining that NameTests “may still have access to info you previously shared, but can’t make additional requests for private info.” It also included a link to a privacy message on the Social Sweethearts website.
Facebook remains under intense scrutiny for its role in the Cambridge Analytica scandal, in which as many as 87 million people had their data misused. That data was collected through quizzes that Cambridge Analytica created. But there are some key differences. That scandal technically wasn’t a data breach, because nothing was leaked—it involved a researcher obtaining users’ data from a third-party app for academic purposes and then, without authorization, selling it to the political firm Cambridge Analytica, which used it to create “psychographic” voter profiles and target political ads. The data in that scandal came not only from people who took the quiz “This Is Your Digital Life” prior to 2015 but also their Facebook friends. News of the Cambridge Analytica scandal broke as Facebook was already under fire for its role in allowing Russian interference in the 2016 election to occur on its platform.
