According to the “hacker” who exposed the bug, Inti De Ceukelaire, the website, NameTests.com, was serving personal data including Facebook users’ names, email addresses, date of birth, locations, Facebook IDs, and more, to any third-party service that requested the data via the URL nametests.com/appconfig_user.
According to De Ceukelaire, the NameTests URL also served Facebook access tokens for the identified users. Dependent on the permissions granted by the user, a Facebook access token could give a third-party access to a user’s posts, friends and photos.
Social Sweethearts is the parent company of NameTests and its website claims it has more than 250 million registered users and more than 100 million fans on Facebook. It also claims to account for more than 3 billion pageviews per month.
The bug has since been patched and any requests sent to the URL are no longer served Facebook users’ personal data.
To demonstrate how easy it was to retrieve data on visitors through the NameTests URL, De Ceukelaire set up a website and uploaded a video demonstration to YouTube of it outputting all of his own Facebook data following a request to the NameTests URL.
The video demonstration also shows that NameTests continued serving data on its Facebook users even after they deleted the application.
As the app didn’t feature log-out functionality, the only way users could prevent their data from being leaked was by deleting the cookies set on their machines.
De Ceukelaire discovered the bug after signing up to Facebook’s data abuse bounty programme, which rewards developers who identify security issues in Facebook’s services.
According to a post published by De Ceukelaire on Medium.com, he informed Facebook of the bug on 22nd April, however the social network only managed to get NameTests to fix the bug on 25th June, two months after it was initially reported.
De Ceukelaire also claims Facebook told him on the 22nd April that it could take upwards of three to six months to investigate the issue (according to TechCrunch, Facebook claims it was only informed on 27th April).
In response to the incident and in a post on the Facebook Bug Bounty page, Facebook stated, “To be on the safe side, we revoked the access tokens for everyone on Facebook who has signed up to use this app. So people will need to re-authorize the app in order to continue using it.”
It also went onto state, “we appreciate Inti’s work to identify this issue and Social Sweethearts’ quick action to fix it on their site.”
According to TechCrunch, a data protection officer from Social Sweethearts stated, “The investigation found that there was no evidence that personal data of users was disclosed to unauthorised third parties and all the more that there was no evidence that it had been misused.”
The Facebook Data Abuse Bounty was launched on 10th April, 2018. Facebook has been under intense scrutiny over the last year after an app called “thisisyourdigitallife”, developed by Aleksandr Kogan, shared data on tens of millions of users with third party Cambridge Analytica.
As a consequence of the scrutiny, Cambridge Analytica recently filed for bankruptcy. Facebook CEO Mark Zuckerberg has also recently been questioned before Congress on his organization’s data protection practices.
This latest data leak also follows the adoption of the EU’s General Data Protection Regulation by EU Member States on 25th May, 2018.