SHARE

Facebook has not recovered from the Cambridge Analytical scandal and here another one is already up. How is Facebook going to handle this one?

A popular quizz app exposed the data of about 120 million facebook users.

Third-party quiz app, called NameTests, found exposing data of up to 120 million Facebook users to anyone who happened to find it, an ethical hacker, Inti De Ceukelaire revealed this. NameTests .com, the website behind popular social quizzes, like “Which Disney Princess Are You?” that has around 120 million monthly users, uses Facebook’s app platform to offer a fast way to sign up.

Just like any other Facebook app, signing up on the NameTests website using their app allows the company to fetch necessary information about your profile from the Facebook. He found that the popular quiz website is leaking logged-in user’s detail to the other websites opened in the same browser, allowing any malicious website to obtain that data easily. He created a random website and explained how the information leaks in following video.

Personal information was displayed in a JavaScript file that could easily be accessed by virtually any website when they would request it. Storing user data in JavaScript file caused the website to leak data to other websites, which is otherwise not possible due to browser’s Cross-Origin Resource Sharing (CORS) policy that prevents a website from reading the content of other websites without their explicit permission.

He reported the flaw via Facebook’s Data Abuse Bounty Program on April 22, and over a month later the social media informed him that it could take three to six months to investigate the issue.

Over two months after initially reporting the issue to Facebook, Ceukelaire noticed that NameTests has fixed the issue, and told him it had found no evidence of abuse of the exposed data by any third party.
On 27th June, Facebook contacted Ceukelaire and informed him that NameTests had fixed the issue, and at his request, donated $8,000 to the Freedom of the Press Foundation as part of its Data Abuse Bounty Program.

German company Social Sweethearts, who is behind NameTests, claims to have more than 250 million registered users and have reached more than 3 billion page views per month.

Make sure to make evidences if you make such discoveries companies like Facebook and Apple usually fix the flaw after initial reporting and says that there was no flaw and don’t rely on such third party applications.

LEAVE A REPLY

Please enter your comment!
Please enter your name here