Close up on a key and padlock lying on a red binary code surface. The padlock is unlocked and displays a glowing grid. (FILE)
A quiz app on Facebook that can tell you which Disney princess you are has also been leaking the personal information of its 120 million users.
The quiz app from Nametests.com was apparently storing the personal information of its users in a rather careless way; the data was circulating through a public Javascript file that other websites could theoretically access.
"I was shocked to see that this data was publicly available to any third-party that requested it," said Inti De Ceukelaire, the Belgian security researcher who discovered the data leak.
On Wednesday, he published a blog post, describing how the Javascript file might endanger the privacy of Nametests.com users. A third-party website could potentially exploit the Javascript file to see when incoming visitors have a Facebook profile. If the visitors do, the website could harvest details of the Facebook profiles, including name, age, birth date and gender.
More From PCmag
De Ceukelaire demoed the threat by creating his own website that can fetch data from the quiz app's Javascript file. Any users of the quiz app who visited his website would not only get their Facebook data harvested, but also their photos and friend's list too.
"It would only take one visit to our website to gain access to someone's personal information for up to two months," he wrote in his blog post. "I would imagine you wouldn't want any website to know who you are, let alone steal your information or photos."
The incident was discovered as Facebook is still facing some blowback from the Cambridge Analytica scandal, which involved a separate personality testing app. In that case, the app deliberately exploited Facebook's data practices to harvest people's personal information for political ad targeting purposes. As many as 87 million users may have been affected.
The data leak involving Nametest.com doesn't appear to be deliberate. De Ceukelaire speculates that the flaw may have stemmed from a "rookie programming mistake." Nevertheless, the data exposure has been going on since at least the end of 2016.
De Ceukelaire reported the problem to the Facebook in April through the company's new bug bounty program, which was introduced in response to the Cambridge Analytica scandal.
"This is exactly why we launched our Data Abuse Bounty Program in April: to reward people for reporting potential problems," Facebook said in a public post about the flaw, which the company helped to fix.
"To be on the safe side, we revoked the access tokens for everyone on Facebook who has signed up to use this app. So people will need to re-authorize the app in order to continue using it," Facebook added.
The developers behind Nametests.com, Social Sweethearts, said it's also found no evidence that bad actors ever abused the flaw.
However, De Ceukelaire said the whole incident raises serious questions over how Social Sweethearts is handling the data of its users. He also noted that it took Facebook over two months before it finished its investigation and finally patched the flaw. During that time the quiz apps from Nametests.com were still up and running.
"I am glad both Facebook and NameTests cooperated and resolved the issue," he said in his blog post. "On the other hand, we cannot accept that the information of hundreds of millions of users could have been leaked out so easily. We can and must do better."
To protect yourself, De Ceukelaire recommends that you delete any apps from Facebook that you're no longer using.
This article originally appeared on PCMag.com.
Get a daily look at what’s developing in science and technology throughout the world.