Application security, Threat Management, Network Security

Facebook sues app makers over browser extensions that allegedly scraped user data

Facebook has filed a lawsuit against two Ukrainian men accused of creating fraudulent quiz applications that tricked users into installing malicious browser extensions. These extensions allegedly scraped information from users' social media pages and injected unapproved advertisements when users would visit various social networking sites, including Facebook.

As reported in The Verge, Facebook filed the suit on March 8 in Northern California court against Kiev, Ukraine residents Gleb Sluchevsky and Andrey Gorbachov. In its filing, the social media giant says that from 2016-2018, the defendants used fake aliases to operate and distribute a series of quiz apps that were made publicly available for download via the web.

These four apps – called "Supertest," "FQuiz," Megatest" and "Pechenka" – allegedly encouraged users to download browser plug-ins that were secretly designed to steal names, genders, age ranges, profile pictures and private friend lists from numerous social media sites.

Examples of the quizzes, which primarily targeted Russian and Ukranian users, included "What is the color of your aura?", "Determine by photo, who is your famous ancestor?", and "What animal are you?".

Facebook says it disabled all of the defendants' known accounts last October, but not before Sluchevsky and Gorbachov allegedly compromised roughly 63,000 browsers of Facebook users.

"Defendants’ fraudulent applications falsely represented, to anyone using the FacebookLogin feature, that the user was only granting the applications access to a limited amount of public Facebook profile information," the lawsuit states. "In fact, Defendants knew that the applications were designed to scrape the app users’ public profiles on Facebook and other social networking sites, and to prompt users to install malicious extensions for the purpose of manipulating the users’ browsers and collect the users’ private and non-publicly viewable lists of friends when the app user visited the Facebook site."

Facebook is seeking a court injunction against the defendants, as well as monetary damages. (Facebook spent $75,000 over the course of its investigation into the malicious extensions, The Verge reported.) The company claims Sluchevsky and Gorbachov not only breached their contracts with Facebook, but also violated the U.S. Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act.

Last last year, Facebook publicly blamed malicious browser extensions for a data breach involving at least 257,256 stolen profiles, including 81,208 that included private messages. Journalists from the BBC, aided by researchers from Digital Shadows, began investigating the matter last September after seeing the accounts advertised on BlackHat SEO, an English-speaking internet forum. It is not clear if this incident and the lawsuit are related.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.