Another Facebook Quiz App Left 120 Million Users' Data Exposed

People are still getting over the most controversial data scandal of the year, i.e., Cambridge Analytica scandal, and Facebook is under fire yet again after it emerges that a popular quiz app on the social media platform exposed the private data of up to 120 million users for years.


Facebook was in controversies earlier this year over a quiz app that sold data of 87 million users to a political consultancy firm, who reportedly helped Donald Trump win the US presidency in 2016.


Now, a different third-party quiz app, called NameTests, found exposing data of up to 120 million Facebook users to anyone who happened to find it, an ethical hacker revealed.


NameTests[.]com, the website behind popular social quizzes, like "Which Disney Princess Are You?" that has around 120 million monthly users, uses Facebook’s app platform to offer a fast way to sign up.


Just like any other Facebook app, signing up on the NameTests website using their app allows the company to fetch necessary information about your profile from the Facebook, with consent naturally.


However, Inti De Ceukelaire, a bug bounty hunter and hacker, found that the popular quiz website is leaking logged-in user’s detail to the other websites opened in the same browser, allowing any malicious website to obtain that data easily.

This issue was due to a simple yet severe flaw in NameTests website that appears to have existed since the end of 2016.


Storing user data in JavaScript file caused the website to leak data to other websites, which is otherwise not possible due to browser’s Cross-Origin Resource Sharing (CORS) policy that prevents a website from reading the content of other websites without their explicit permission.


As a proof of concept, Ceukelaire developed a malicious website that would connect to NameTests to mine the data of visitors using the app. Using a simple bit of code, he was able to harvest the names, photos, posts, pictures, and friends lists of anyone taking part in the quiz.

 

Cr. thehackernews