A Belgian security researcher has discovered that personal data of more than 120 million Facebook users worldwide was publicly accessible to third parties. The data was collected by a quiz app called Nametests that is developed by the German company Social Sweethearts. The leak existed for several years and data remained accessible even when the app was uninstalled.
Nametests is a popular quiz app on Facebook which can be used to answer questions like, “what fairy tale woman are you, “what’s the first thing others notice about you” and “how you look like in a drawing”.
Belgian security researcher Inti de Ceukelaire found out that as soon as the app was installed on Facebook, it started to collect all kinds of personal data. This data included birth date, full name, city of residence, photos, friends and messages. De Ceukelaire found that once the app retrieved the data it could be accessed by any third-party that requested it. The data was available because it was retrieved in an unsecure way and anyone with some technical knowhow could therefore access it.
Although the leak potentially allowed cybercriminals to obtain data of millions of users, De Ceukelaire states he doesn’t know whether the leak has been abused. Both Facebook and Social Sweethearts have stated that they worked on fixing the leak together and that there are no indications that the data has been stolen and abused.
De Ceukelaire received a bounty of $4,000 which Facebook doubled because De Ceukelaire donated the bounty to the non-profit organization Freedom of the Press Foundation.