Facebook’s data privacy woes continue to grow as a security researcher uncovered the social media’s popular “tests“ not only told users which Disney princess they were, but also exposed the private data of about 120 million people who took the test.
Inti De Ceukelaire blogged on Medium that nametests.com, the site behind the ubiquitous Facebook time killers, just fixed a flaw that was exposing data. The researcher said he is a participant in Facebook’s Data Abuse Bounty Program, which was created after the Cambridge Analytica scandal and as such decided to see what offerings on the site might be a privacy problem.
“I scrolled through my timeline and noted down all apps my friends were using. Fitness trackers and Facebook Quizzes topped my list. The latter have been heavily criticised for their massive data harvesting and data-greedy permissions, so for the first time in my life, I took a Facebook Quiz,” he wrote, which was Which Disney Princess are you?
He immediately noticed the quiz site pulled his personal data and posted some of it in the sites code along with a token that could be used to gain access to all the data the person taking the quiz authorized when they downloaded the app.
He also found the app retained all your data, and its ability to be seen by others, even if the app is removed. To fully remove the information the test taker would have to delete the associated cookies.
Nametests.com’s PR person was also contacted by De Ceukelaire who was told it was unaware of any personal information being abused by a third party.