Facebook was inwards controversies before this twelvemonth over a quiz app that sold information of 87 meg users to a political consultancy firm, who reportedly helped Donald Trump win the United States of America of America presidency inwards 2016.
Now, a dissimilar third-party quiz app, called NameTests, works life exposing information of upward to 120 meg Facebook users to anyone who happened to detect it, an ethical hacker revealed.
NameTests[.]com, the website behind pop social quizzes, similar "Which Disney Princess Are You?" that has approximately 120 meg monthly users, uses Facebook’s app platform to offering a fast agency to sign up.
Just similar whatever other Facebook app, signing upward on the NameTests website using their app allows the fellowship to fetch necessary information close your profile from the Facebook, amongst consent naturally.
However, Inti De Ceukelaire, a põrnikas bounty hunter as well as hacker, found that the pop quiz website is leaking logged-in user’s especial to the other websites opened inwards the same browser, allowing whatever malicious website to obtain that information easily.
In a Medium post service published yesterday, Ceukelaire said he liked to participate inwards the Data Abuse Bounty Program that Facebook late launched inwards the wake of Cambridge Analytica scandal. So, he started looking at the apps his friends on Facebook had installed.
Ceukelaire was shocked when he saw his personal information inwards a JavaScript file that could easily survive accessed past times virtually whatever website when they would asking it.
What Was the Flaw? How It Leaked Users' Data?
Storing user information inwards JavaScript file caused the website to leak information to other websites, which is otherwise non possible due to browser’s Cross-Origin Resource Sharing (CORS) policy that prevents a website from reading the content of other websites without their explicit permission.
As a proof of concept, Ceukelaire developed a malicious website that would connect to NameTests to mine the information of visitors using the app. Using a uncomplicated flake of code, he was able to harvest the names, photos, posts, pictures, as well as friends lists of anyone taking role inwards the quiz.
The vigilant hacker too made a video every bit a proof of his findings, demonstrating how the NameTests website revealed your personal information fifty-fifty after deleting the app.
Ceukelaire reported the flaw via Facebook’s Data Abuse Bounty Program on Apr 22, as well as over a calendar month afterwards the social media informed him that it could accept 3 to half dozen months to investigate the issue.
Over 2 months after initially reporting the number to Facebook, Ceukelaire noticed that NameTests has fixed the issue, as well as told him it had works life no prove of abuse of the exposed information past times whatever tertiary party.
On 27th June, Facebook contacted Ceukelaire as well as informed him that NameTests had fixed the issue, as well as at his request, donated $8,000 to the Freedom of the Press Foundation every bit role of its Data Abuse Bounty Program.
High German fellowship Social Sweethearts, who is behind NameTests, claims to conduct keep to a greater extent than than 250 meg registered users as well as conduct keep reached to a greater extent than than 3 billion page views per month.
The latest incident shows that, fifty-fifty after the social media giant changed its weather for apps to access information on its platform dorsum inwards 2015, Facebook failed to adequately police such apps that conduct keep access to substantial amounts of personal information on its platform.
