Facebook quiz app maker exposed data on over 120 million users

While Facebook tries to close the book on its Cambridge Analytica scandal, it's still dealing with many more. The FTC is conducting a non-public probe into the company's behavior around privacy data, the EU's stricter laws are making it hard for the company and they keep finding more apps that may have misused your data. Case in point: security researcher Inti De Ceukelaire has found that a quiz app from NameTests.com has been exposing user data for more than a year.

In a Medium post, De Ceukelaire notes that the javascript could potentially leak your Facebook ID, your first and last name and the language you speak, along with your gender, date fo birth, profile picture, cover photo, currency, the devices you use, the last update of your information, posts and statuses and your photos and friends. He also reports that this data had been publicly exposed since at least the latter part of 2016.

The researcher set up a website that would request information from the javascript that NameTests.com stored all the data it pulled from people who took quizzes like "Which Disney Princess Are You?" He found that it only took one visit to get access to someone's personal information for up to two months. He also provided video proof of the process, as embedded below. De Ceukelaire reported the issue to Facebook's Data Abuse program in April. NameTests.com apparently fixed the problem a few days ago, on June 25th. On the 27th, Facebook awarded him a $4,000 bug bounty, which was doubled when he donated it to charity, and wrote a post on its Bug Bounty page: "We appreciate Inti's work to identify this issue and Social Sweethearts' quick action to fix it on their site. This is exactly why we launched our Data Abuse Bounty Program in April: to reward people for reporting potential problems."