Although the vulnerability has now been removed, popular Facebook Quiz provider NameTests reportedly exposed sensitive user data via JavaScript for years, potentially leaking data of more than 120 million users. The data was taken from permissions granted by users to various quiz apps and NameTests has been in operation since 2015. Depending on which quizzes were taken, users could have exposed a huge variety of information, according to Inti De Ceukelaire, the researcher who found the problem. Potentially compromised information includes one’s Facebook ID, first name, last name, language, gender, date of birth, profile picture, cover photo, preferred currency, posts and statuses, photos and their friends, which devices were used, and when the profile information was last updated. As to how that worked, it comes down to the way the app called a user’s data forward.
The use of JavaScript to load up the user’s data, and also to create a token for more in-depth access, means that nearly any website could feasibly have taken the data by accessing the app’s configuration file. That also meant that deleting the app still left facebook ID, first name, last name, language, gender, and date of birth vulnerable. Since no method was in place for users to log out, that data remained accessible after the offending app was deleted unless a user deleted their cookies. There’s no reason to believe that the vulnerability was intentionally harmful. Moreover, there’s no evidence that any data was stolen. It was most likely intended for internal advertising purposes for NameTests itself. However, it did expose quite a lot of information for several years.
Perhaps more concerning, even after the problem was discovered, De Ceukelaire says it took more than a month for Facebook to contact the developers involved. As of this writing, the vulnerability has been fixed and Facebook has even donated $8,000 to the Freedom of the Press Foundation as part of their Data Abuse Bounty Program – at De Ceukelaire’s request. But the company had initially indicated it would take two or three months to finish investigating the matter. Depending on whether or not a Facebook app’s developer is notified and fixes the problem internally, that potentially leaves users exposed for that much longer. With consideration of how many applications are running on the platform, that also means there could be plenty of others with similar security issues. So, while the social media giant continues its investigations into these kinds of issues, De Ceukelaire has some sound advice for those still using Facebook; users should be careful about granting permissions, only install apps they’re currently using, and delete cookies after removing any given app.