While people are still trying to come to terms with the recent Cambridge Analytica scandal, Facebook and its quiz apps are at it again! Another flaw’s been discovered in a Facebook quiz app, NameTests, that has run Facebook quizzes for years.

The popular Facebook quiz app has leaked the personal data of 120 million users, leaving unprotected user data exposed on its website for nearly 2 years and easily accessible to any third party. The flaw appears to have existed since the end of 2016.

How it happened

The website stored the data of the quiz taker in JavaScript files causing it to leak the data to external websites and make the data accessible to anyone. Furthermore, it released an access token that gave additional permissions to third-party sites to access Facebook user data. To make matters worse, even after deleting the app the NameTests website would continue to leak the data.

Belgian activist, Inti de Ceukelaire, found the flaw and informed Facebook of it on 22 April. Subsequently, NameTests (run by German company Social Sweethearts) fixed the flaw in June, but only 2 months later. On 27 June De Ceukelaire received confirmation from Facebook that the flaw did exist and that it had been fixed.

Despite Facebook being notified of the apps vulnerability in April, the app/quizzes were still available to Facebook users for two months with the vulnerability present. Hence, those taking the quizzes were still at risk during that time and while Facebook was fully aware of the vulnerability and the risk to its users. Facebook didn’t think to suspend or remove the data-leaking app from its platform in the interim.

In a test, De Ceukelaire was able to harvest the data of Facebook users who had taken a NameTests quiz. Data included names, photos, posts, pictures, and friends lists.

Depending on what quizzes you took, the javascript could leak your Facebook ID, first name, last name, language, gender, date of birth, profile picture, cover photo, currency, devices you use, when your information was last updated, your posts and statuses, your photos and your friends,” writes De Ceukelaire.

Changes its terms, but fails to enforce them

In 2015 Facebook changed its terms and conditions to restrict applications from accessing Facebook user data. However, this data exposure shows that although contractually those changes were made, Facebook has failed to enforce those changes letting apps, like this one, access vast amounts of personal data via the Facebook platform. It seems that Facebook has not been able to (or could not be bothered to) properly vet apps for proper security protocols and monitor their access to user data.

As a direct result of the Cambridge Analytica scandal, Facebook is undergoing an audit of thousands of apps that have had access to its data. It has suspended many apps and is investigating others.

It’s very likely that many more incidents will be uncovered in the weeks and months to come and loads more data breaches revealed.

The next time you receive a ‘take this quiz’ notification, stop first to briefly consider the implications if you do- where your data may end up and if it’s really worth it.