Facebook has just patched up another data leak, but the fix may come too late. And it's not related to the Cambridge Analytica breach at all.
Digital expert Inti De Ceukelaire has exposed a Facebook app called Nametests.com in a blog post on Medium. The app hosts personality quizzes (a la “Which Disney Princess Are You?”), but when De Ceukelaire took one, he noticed the app had gathered all the information on his page—and that the data was easily accessed by third-party websites.
What this means to users
In simple terms, the personal data was saved in a javascript file, and javascript, a beginner-level coding language, is designed to be shared. Most websites have safeguards against sharing data, but Nametests.com did not, meaning that if a website had the right permissions, it could pull up to two months worth of your data from Nametests.
“Depending on what quizzes you took, the javascript could leak your Facebook ID, first name, last name, language, gender, date of birth, profile picture, cover photo, currency, devices you use, when your information was last updated, your posts and statuses, your photos and your friends,” said De Ceukelaire.
Deleting the app didn’t erase your data from it, either. To do that, a user would have had to manually delete their cookies. He continued:
“If you ever took a quiz and removed the app afterwards, external websites would still be able to read your Facebook ID, first name, last name, language, gender, date of birth. You would have only prevented this from happening if you manually deleted your cookies, as the website does not offer a logout functionality.”
According to De Ceukelaire, he noticed the flaw was fixed on June 25, 2018, though the flaw has existed reportedly since the end of 2016. As of now, there is no evidence to support Nametests abusing this chink in the armor (and De Ceukelaire admits in his post that “it could have been a rookie programming mistake”). Even if it is a mistake, it is too serious a breach in privacy to be written off and slapped with a “try again next time.”
Facebook made this post regarding the breach: