While Facebook is still struggling to recover from the damage it incurred from the Cambridge Analytica scandal, another issue seems to be shrouding the social media giant. A hacker has claimed that popular quiz-making platform on Facebook Nametests has been publicly exposing the information of more than 120 million monthly users for years. The vulnerability has been plugged and Facebook’s Bug Bounty Program, which checks apps running on the social media platform and curbs users’ data shared through them, has been credited for the latest development.
According to Inti De Ceukelaire, Nametests have been developing quizzes, like a personality test, on Facebook and through those quizzes, third party entities had accessed users private information, friends list, posts and photos. The matter came to fore when De Ceukelaire took a quiz and while loading a test, he noticed that the website fetched his personal information and display it on the webpage. “In theory, every website could have requested this data. The data also includes a ‘token’ which gives access to all data the user authorised the application to access, such as photos, posts and friends. I was shocked to see that this data was publicly available to any third-party that requested it,” he wrote in a blog.
To confirm that Nametests actually shares the users’ information, the hacker set up a website that would connect to Nametests and get some information about the visitors who visit the newly-made website. He found that apart from the users’ info, Nametests would also provide a secret key called an access token, which, depending on the permissions granted, could be used to gain access a visitor’s posts, photos and friends. “It would only take one visit to our website to gain access to someone’s personal information for up to two months,” he claimed.
In April, the hacker reported this to Facebook’s Data Abuse program which the company started to clean up the mess created by the Cambridge Analytica issue. CEO Mark Zuckerberg also announced an audit of apps running on the platform and said that the company would “investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and will conduct a full audit of any app with suspicious activity”. It has already suspended around 200 apps as a result of the ongoing audit but it seems Nametests was not audited yet.
After the hacker reported the developments, Facebook started looking into the complaint and in May, the company said that “it could take three to six months to investigate the issue.” By June end, Nametests changed the way it processes data and third-parties could no longer access its users personal information. The hacker apprised Facebook about the development and the social media giant confirmed that its has “revoked the access tokens for everyone on Facebook who has signed up to use this app. So people will need to re-authorize the app in order to continue using it.”