Contact UsWDN News & more...

Another Facebook Quiz App Left 120 Million Users’ Data Exposed


Of us are aloof getting over the most controversial knowledge scandal of the year, i.e., Cambridge Analytica scandal, and Fb is beneath fire as soon as as soon as more after it emerges that a favored quiz app on the social media platform uncovered the non-public knowledge of up to a hundred and twenty million customers for years.

Fb became in controversies earlier this year over a quiz app that sold knowledge of 87 million customers to a political consultancy firm, who reportedly helped Donald Trump utilize the US presidency in 2016.

Now, a special zero.33-birthday celebration quiz app, called NameTests, learned exposing knowledge of up to a hundred and twenty million Fb customers to any individual who took space to search out it, an moral hacker published.

NameTests[.]com, the accumulate pages in the motivate of approved social quizzes, love “Which Disney Princess Are You?” that has around a hundred and twenty million month-to-month customers, makes use of Fb’s app platform to present a rapidly manner to signal in.

Upright love every other Fb app, signing up on the NameTests web pages using their app allows the company to acquire crucial knowledge about your profile from the Fb, with consent naturally.

Nonetheless, Inti De Ceukelaire, a bug bounty hunter and hacker, learned that the favored quiz web pages is leaking logged-in particular person’s detail to the opposite websites opened in the the same browser, allowing any malicious web pages to carry out that knowledge with out grief.

In a Medium post published the day gone by, Ceukelaire acknowledged he appreciated to participate in the Files Abuse Bounty Program that Fb no longer too long ago launched in the wake of Cambridge Analytica scandal. So, he started taking a ogle at the apps his chums on Fb had place in.

web pages-knowledge-leak

Ceukelaire then determined to utilize his first quiz during the NameTests app, and as he started taking a more in-depth seek for on the test direction of, he noticed that the accumulate pages became fetching his non-public knowledge from “http://nametests[.]com/appconfig_user” and show it on its web pages.

Ceukelaire became worried when he saw his non-public knowledge in a JavaScript file that would possibly perhaps with out grief be accessed by virtually any web pages as soon as they would place a matter to it.

What Modified into the Flaw? How It Leaked Users’ Files?

This method back became as a result of a easy but severe flaw in NameTests web pages that seems to possess existed for the reason that cease of 2016.

Storing particular person knowledge in JavaScript file precipitated the accumulate pages to leak knowledge to other websites, which is in every other case no longer conceivable as a result of browser’s Inappropriate-Starting attach Helpful resource Sharing (CORS) coverage that stops a domain from reading the content of other websites with out their explicit permission.

As a proof of concept, Ceukelaire developed a malicious web pages that would possibly perhaps join to NameTests to mine the guidelines of pals using the app. Using a easy little bit of code, he became in a role to reap the names, photos, posts, photos, and chums lists of any individual taking section in the quiz.

The vigilant hacker moreover made a video as a proof of his findings, demonstrating how the NameTests web pages published your individual knowledge even after deleting the app.

Ceukelaire reported the flaw by ability of Fb’s Files Abuse Bounty Program on April 22, and over a month later the social media advised him that it is miles going to utilize three to 6 months to study the method back.

Over two months after to birth with reporting the method back to Fb, Ceukelaire noticed that NameTests has fastened the method back, and told him it had learned no evidence of abuse of the uncovered knowledge by any zero.33 birthday celebration.

On 27th June, Fb contacted Ceukelaire and advised him that NameTests had fastened the method back, and at his place a matter to, donated $Eight,000 to the Freedom of the Press Foundation as section of its Files Abuse Bounty Program.

German company Social Sweethearts, who is in the motivate of NameTests, claims to possess extra than 250 million registered customers and possess reached extra than three billion page views per thirty days.

Basically the most modern incident displays that, even after the social media big changed its conditions for apps to catch admission to knowledge on its platform motivate in 2015, Fb failed to adequately police such apps which possess catch admission to to sizable amounts of inner most knowledge on its platform.