Application security

Facebook quizzes may have exposed 120 million users personal information

Facebook's data privacy woes continue to grow as a security researcher uncovered the social media's popular "tests“ not only told users which Disney princess they were, but also exposed the private data of about 120 million people who took the test.

Inti De Ceukelaire blogged on Medium that nametests.com, the site behind the ubiquitous Facebook time killers, just fixed a flaw that was exposing data. The researcher said he is a participant in Facebook's Data Abuse Bounty Program, which was created after the Cambridge Analytica scandal and as such decided to see what offerings on the site might be a privacy problem.

“I scrolled through my timeline and noted down all apps my friends were using. Fitness trackers and Facebook Quizzes topped my list. The latter have been heavily criticised for their massive data harvesting and data-greedy permissions, so for the first time in my life, I took a Facebook Quiz,” he wrote, which was Which Disney Princess are you?

He immediately noticed the quiz site pulled his personal data and posted some of it in the sites code along with a token that could be used to gain access to all the data the person taking the quiz authorized when they downloaded the app.

“In a normal situation, other websites would not be able to access this information. Web browsers have mechanisms in place to prevent that from happening. In this case however, the data was wrapped in something called javascript, which is an exception to this rule,” De Ceukelaire wrote.

He also found the app retained all your data, and its ability to be seen by others, even if the app is removed. To fully remove the information the test taker would have to delete the associated cookies.

Nametests.com's PR person was also contacted by De Ceukelaire who was told it was unaware of any personal information being abused by a third party. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.