Facebook quiz app Nametests exposed data of over 120 million users

Turns out, that "Which Disney princess are you?" quiz wasn’t worth giving up your info.

If you remember taking a ‘Which Disney Princess are you?’ quiz on Facebook years ago, this news affects you.

According to a security researcher, Inti de Cuekelaire, a popular quiz app on Facebook called the Nametests had some crucial flaw, which allowed anyone to pull up information of, over more than 120 million users, that had used the app. This was possible even after the app was deleted.

This report comes at a time when Facebook is still dealing with the fallout from its Cambridge Analytica data breach scandal. During that scandal too, a personality quiz had obtained data on 87 million Facebook users without their permission.

Screenshot of the Nametest website.

Screenshot of the Nametest website.

However, it is important to point out here, that unlike with Cambridge Analytica, the current flaw does not involve Facebook's policies. The security issue that has been spotted has to do with the flawed coding on the Nametests website.

Facebook has addressed the issue on its Bug Bounty page, mentioning that the social network has worked with Nametests' developers, to address the vulnerability. The Facebook post also says that more than 120 million people a month have used the popular quiz app.

Researcher Cuekelaire, who first reported this flaw, noticed that his personal information was loaded on the quiz website, without any encryption or security, and that the data was publicly available to anyone with the link. The data showed his name, the country he was from, his birth date, his gender and his age.

"I was shocked to see that this data was publicly available to any third-party that requested it," de Cuekelaire wrote on Medium. "In a normal situation, other websites would not be able to access this information."

The researcher says that he had reported the bug back on 22 April, 2018, and that the bug was fixed on 25 June.

Facebook offered the researcher $4,000 for the bug bounty, and he instead asked that the company donate it to the Freedom of the Press Foundation. Facebook matched the donation, to make it $8,000.

According to CNET, the developers of Nametest, Social Sweethearts, said that they have fixed the flaw after investigating the issue.




also see

science