The Cambridge Analytica scandal exposed what wasn’t really a secret, that Facebook is harvesting a lot of user data and that the data is shared with others. The privacy breach revealed that Facebook wasn’t doing enough to protect your privacy and that developers like Cambridge Analytica could take your data and your Facebook friends’ data and use it for whatever they wanted.
Since these revelations, Facebook has been trying to convince everyone that it can be trusted, that it will take measures to stop these practices, that your privacy matters to the company. But while it was performing this massive PR campaign, a different quiz app that had as many as 120 million users left their data exposed for others to see. Facebook was warned about it and needed many weeks to address and fix it properly.
There’s no telling exactly how many people have used the quiz app in question, and Nametests.com, the company behind the quizzes, says nobody abused it. But a researcher detailed the security issue on Facebook, revealing that the company did not take enough precaution to safeguard the data and that Facebook took a very long time to address the vulnerability.
Just because hackers could find someone’s Facebook data doesn’t mean anyone abused it. But, again, it goes to show that Facebook has a lot of work to do to win back our trust. Inti De Ceukelaire told Facebook about the issue on April 22nd, well after the Cambridge Analytica mess made the news around the world. Only two months later, on June 27th, did Facebook confirm that the matter had been fixed and that an $8,000 bounty had been paid to a charity chosen by the researcher (see the reply above).
What De Ceukelaire discovered was that Nametests.com left the data gathered from its users unprotected, and anybody who, like him, could find it, would walk away with plenty of information:
Depending on what quizzes you took, the javascript could leak your Facebook ID, first name, last name, language, gender, date of birth, profile picture, cover photo, currency, devices you use, when your information was last updated, your posts and statuses, your photos and your friends.
Even if you deleted the app, external websites could still read “your facebook id, first name, last name, language, gender, date of birth.” The only way to permanently fix it was to delete the cookies, as the company behind the quizzes doesn’t have a logout functionality — for more information about this new user data security vulnerability, hit this Medium post.
