A quiz app on Facebook that can tell you which Disney princess you are has also been leaking the personal information of its 120 million users.
“I was shocked to see that this data was publicly available to any third-party that requested it,” said Inti De Ceukelaire, the Belgian security researcher who discovered the data leak.
“It would only take one visit to our website to gain access to someone’s personal information for up to two months,” he wrote in his blog post. “I would imagine you wouldn’t want any website to know who you are, let alone steal your information or photos.”
The incident was discovered as Facebook is still facing some blowback from the Cambridge Analytica scandal, which involved a separate personality testing app. In that case, the app deliberately exploited Facebook’s data practices to harvest people’s personal information for political ad targeting purposes. As many as 87 million users may have been affected.
The data leak involving Nametest.com doesn’t appear to be deliberate. De Ceukelaire speculates that the flaw may have stemmed from a “rookie programming mistake.” Nevertheless, the data exposure has been going on since at least the end of 2016.
De Ceukelaire reported the problem to the Facebook in April through the company’s new bug bounty program, which was introduced in response to the Cambridge Analytica scandal.
“This is exactly why we launched our Data Abuse Bounty Program in April: to reward people for reporting potential problems,” Facebook said in a public post about the flaw, which the company helped to fix.
“To be on the safe side, we revoked the access tokens for everyone on Facebook who has signed up to use this app. So people will need to re-authorize the app in order to continue using it,” Facebook added.
The developers behind Nametests.com, Social Sweethearts, said it’s also found no evidence that bad actors ever abused the flaw.
However, De Ceukelaire said the whole incident raises serious questions over how Social Sweethearts is handling the data of its users. He also noted that it took Facebook over two months before it finished its investigation and finally patched the flaw. During that time the quiz apps from Nametests.com were still up and running.
“I am glad both Facebook and NameTests cooperated and resolved the issue,” he said in his blog post. “On the other hand, we cannot accept that the information of hundreds of millions of users could have been leaked out so easily. We can and must do better.”
To protect yourself, De Ceukelaire recommends that you delete any apps from Facebook that you’re no longer using.