Popular Facebook quiz app exposed data on more than 120 million users

Hmm, maybe that "Which Disney princess are you?" quiz wasn't worth giving up your info.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read

A researcher discovered this Facebook app had been exposing people's data for years.

Screenshot by Alfred Ng/CNET

If you tried to find out which Disney Princess you were on Facebook years ago, you might've given up more than your name. 

A security researcher found that a popular quiz app on Facebook called "Nametests" had a flaw that let anyone pull up information on more than 120 million people, even after the app was deleted. 

The flaw points up Facebook's privacy issues as the world's largest social network continues to deal with fallout from its Cambridge Analytica scandal. The data analytics firm, which consulted with the Trump campaign during the 2016 US presidential election, had also used a personality quiz to obtain data on 87 million Facebook users without their permission. 

Unlike the situation with Cambridge Analytica, this flaw didn't involve Facebook's policies -- the security issue had to do with flawed coding on the Nametests website.

Facebook addressed the issue with a post on its Bug Bounty page, writing that the social network has worked with Nametests' developers, Social Sweethearts, to address the vulnerability. More than 120 million people a month have used the popular quiz app.

"A researcher brought the issue with the nametests.com website to our attention through our Data Abuse Bounty Program that we launched in April to encourage reports involving Facebook data," Ime Archibong, Facebook's vice president of partner products, said in a statement. "We worked with nametests.com to resolve the vulnerability on their website," completing the fix in June.

Security researcher Inti de Cuekelaire detailed his discovery in a Medium post. He wrote that he noticed his personal information loaded on Nametests' website without any encryption or security, and that the data was publicly available to anyone with the link. The data showed his name, the country he was from, his birth date, his gender and his age.

"I was shocked to see that this data was publicly available to any third-party that requested it," de Cuekelaire wrote. "In a normal situation, other websites would not be able to access this information."

He then set up a website that could get information on anyone who visited it if they'd used Nametests in the past. Through that webpage, he was able to load data on a visitor's private photos, status updates and friends. 

Social Sweethearts said it fixed the flaw after investigating the issue.

The company's data protection officer, Thomas Schwenke, said in a statement that Social Sweethearts' inquiry "found that there was no evidence that personal data of users was disclosed to unauthorized third parties and all the more that there was no evidence that it had been misused."

De Cuekelaire said he reported the bug April 22 and that it was fixed June 25. Facebook offered the researcher $4,000 for the bug bounty, and he instead asked that the company donate it to the Freedom of the Press Foundation. Facebook matched the donation, to make it $8,000. 

The flaw highlights Facebook's problems with third-party apps, even as the social network looks to buckle down on them after the data abuse from Cambridge Analytica. Facebook has already deleted about 200 apps in its data misuse investigation, but privacy flaws continue to find a way to surface.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

World Cup 2018: Find out how to watch, learn some trivia and more.