Photo: Getty

Facebook’s race to prove it’s a good and trustworthy company over the last few months kicked off when it was revealed that a quiz app sold user data to a political firm. Now, a different quiz app is getting some heat. A researcher discovered that a third-party app called NameTests left the data of 120 million Facebook users exposed to anyone who happened to find it.

Facebook’s privacy scandal kicked off in March when it was revealed that a data firm hired by Donald Trump’s presidential campaign, Cambridge Analytica, had illicitly purchased Facebook user data from a professor running a novelty quiz app called “thisisyourdigitallife.” Facebook knew about this violation of its policies and did practically nothing about it for years. But as CEO Mark Zuckerberg started getting hauled in front of lawmakers and investors got nervous, Facebook rolled out changes—some big, some small. An audit of third-party apps resulted in the suspension of around 200 apps in May. But it appears there could be plenty more problems waiting out there as demonstrated by ethical hacker Inti De Ceukelaire’s discovery of the NameTests security flaw.

Advertisement

On Wednesday, De Ceukelaire described the process of reporting a flaw in the website behind the quiz app to Facebook’s newly founded Data Abuse Bounty program. Having never personally used a quiz app, De Ceukelaire started looking at the apps his friends on Facebook had installed. He elected to take his first quiz through the NameTests app. As he started tracing how his data was being handled, he noticed that NameTest’s website was fetching his information from the URL “http://nametests.com/appconfig_user.” His personal data was held in a JavaScript file that could easily be requested by any website that knew to ask.

De Ceukelaire gives the example of a hypothetical shady porn site that’s aware of the vulnerability. A Facebook user could visit the porn site, the site could ask NameTest if this visitor has a profile, and if they did, the porn site could potentially download a number of data points about that user. What’s more, NameTest would provide an access token that would allow the shady site to continue to access information regarding a user’s posts, photos, and friends for up to two months. De Ceukelaire wrote, “depending on what quizzes you took, the javascript could leak your Facebook ID, first name, last name, language, gender, date of birth, profile picture, cover photo, currency, devices you use, when your information was last updated, your posts and statuses, your photos and your friends.” He made a video of a dummy website he set up to take advantage of the flaw if you’d like to see how it works in practice.

The NameTest vulnerability may have been a simple mistake or an example of negligence, but it’s certainly a visceral example of how little oversight Facebook has over user data as it floats out to the world across thousands of apps. A determined hacker could use those data points to accomplish all sorts of nefarious activities. In the shady porn site example, De Ceukelaire cites the potential for blackmailing a user by revealing their activities to their friends and family.

Advertisement

The NameTest discovery not only demonstrates how much we still don’t know about third-party apps that were supplied with our data, it also shows the creaky process behind Facebook’s Data Abuse Bounty. De Ceukelaire says he reported the issue on April 22, and eight days later, Facebook responded that it was looking into it. On May 14, he checked in to see if Facebook had contacted the NameTest developers. Eight days later Facebook replied that it could potentially take three to six months to go through an investigation. Meanwhile, NameTest was just sitting there with this easily observable security hole.

Time went on with no word from Facebook and on June 25, De Ceukelaire noticed that NameTest had fixed the issue. After contacting Facebook, it acknowledged the fix and agreed to donate $8,000 to the Freedom of the Press Foundation as part of its reward for the bounty. So according to De Ceukelaire, Facebook took at least a month to fix the problem, and it had to be hunted down to fulfill its bounty promise.

When we contacted NameTest’s parent company, Social Sweethearts, about the issue, a spokesperson told us:

The investigation found that there was no evidence that personal data of users was disclosed to unauthorized third parties and all the more that there was no evidence that it had been misused. Nevertheless, data security is taken very seriously at social sweethearts and measures are currently being taken to avoid risks in the future.

Advertisement

We asked Facebook if this sort of slow response is common with its bounty program. We were given a boilerplate statement attributed to Ime Archibong, Facebook’s vice president of product partnerships. It reads, in full:

A researcher brought the issue with the nametests.com website to our attention through our Data Abuse Bounty Program that we launched in April to encourage reports involving Facebook data. We worked with nametests.com to resolve the vulnerability on their website, which was completed in June.

Facebook also pointed us to a blog post on its bug bounty page that went up this morning. It doesn’t contain any more info and is framed as if it’s a voluntary announcement praising De Ceukelaire’s find and celebrating its work with NameTest’s team to fix the problem. The reality is Facebook is once again opening up about an issue it’s known about for some time, only after it’s been publicly called out. The cycle is tiresome and firmly ingrained in the company’s DNA.

Advertisement

We’re going to see more revelations about third-party apps mishandling data; Facebook has been pretty clear about that. But it also appears that Facebook is moving painfully slow when it comes to addressing issues when they arise. Maybe Facebook can divert some resources from its freshly-canceled drone program into building out the bounty team to speed things up.

[Medium via TechCrunch]