A new data breach scandal has hit Facebook, just as the social networking site was scrambling to regain user trust after the Cambridge Analytica debacle. A security researcher found that a third-party app called NameTest left the data of 120 million Facebook users exposed online for years; Facebook took weeks to respond.
Researcher Inti De Ceukelaire found the breach as part of Facebook’s Data Abuse Bounty program. He discovered NameTest, a quiz app, stored users’ data on a JavaScript file that could easily be requested by any website. NameTest also provided those who requested information with an additional token that allowed them to see the data behind user’s posts, photos, and friends for up to two months.
“Depending on what quizzes you took, the javascript could leak your Facebook ID, first name, last name, language, gender, date of birth, profile picture, cover photo, currency, devices you use, when your information was last updated, your posts and statuses, your photos and your friends,” said De Ceukelaire in a Medium post about the breach. “If you ever took a quiz and removed the app afterwards, external websites would still be able to read your Facebook ID, first name, last name, language, gender, date of birth. You would have only prevented this from happening if you manually deleted your cookies, as the website does not offer a logout functionality.”
It’s unclear if NameTest was deliberately sharing data with third parties.
According to De Ceukelaire, he reported the issue in late April and Facebook took eight days to respond. In May, he checked in with Facebook again, and was told it could take three to six months to investigate the breach, he said. NameTest fixed the issue on Monday.
Facebook awarded De Ceukelaire $4,000 for his find, then matched this amount when he donated it to the Freedom of the Press Foundation.
