Cybersecurity researcher, Inti De Ceukelaire, exposed that Facebook has compromised with the private data of up to 120 million users through its popular quizzes. The quizzes were offered by the app company nametests.com and reportedly been archiving the name, posts, and photos of the users for years. The researcher says that he was shocked by what he found - carelessness of the system to protect user’s data – a glaring flaw, as per him.
While hunting for data abusers of Facebook, Inti De Ceukelaire revealed in his Medium blog that 'nametests.com' unveiled user’s data to the third parties. He found the fault in the system and said that the quiz was using the javascript file to display the personal information (name, location, age, birthday), which is vulnerable to any external website the user happens to visit while being logged in on Facebook.
The post also mentioned the platform’s expansive vulnerability that allows further data access to third party websites in the form of access tokens from the javascript. This revelation of personal data continues, even if the app is deleted as per the researcher. The only way to stop it from accessing your data is to delete your cookies as nametests.com do not offer a logout feature. When users take a mere quiz on Facebook, they do not realize that it is resulting in the loss of personal data for the apps' ad-targeting campaigns, post further informs.
Facebook announced an out-and-out app audit on March 21st and promised to investigate all the apps that access information from its platform. None of us want any website to access our personal information and abuse us in return by targetted ads based on our posts and friends.
When Ceukelaire tried to contact nametests.com, it denied all the claims and said that it found no evidence of abuse by a third party app and will take appropriate steps to avoid such violations of personal data in future.
When the researcher reached out to Facebook, it replied by saying they are looking into the problem. Later Facebook dodged a follow-up email by saying that it might take 3 to 6 months to complete the investigation and promised to keep Ceukelaire in the loop. But a few days later to this reply, Facebook admitted the flaw and informed that it worked with nametests.com and resolved the issue.
Ceukelaire said that this revelation against Facebook was only the tip of the iceberg, most of which, frighteningly, is still to see the light.
What do you think of these lousy privacy policies of Facebook that allow third-party apps to misuse it? Do let us know in the comments. Also, to get instant tech updates, Follow TechNadu’s Facebook page, and Twitter handle.