Quiz on Facebook leaked information about logged in users
Facebook quiz NameTests made it possible to collect information about logged in Facebook users via a malicious site. This was discovered by the ethical hacker Inti De Ceukelaire, who was therefore eligible for a bug bounty.
De Ceukelaire investigated several apps on the social network because of a new bug bounty program, which Facebook created after the Cambridge Analytica scandal. On one of the apps, NameTest from German Social Sweethearts, he discovered that it got his personal information from an external NameTests site.
He then learned that it was possible to also collect information about logged in Facebook users via a malicious site by using that NameTests endpoint. The requested data also contains an access token that, depending on the permissions granted, gave access to posted messages, friends and photos of users.
According to De Ceukelaire, the data that a malicious person could view in this way differed per app. For example, Facebook ID, first name, last name, language, gender, date of birth, profile picture, devices used, friends, photos and posts. According to NameTests itself, there is no indication that malicious parties have exploited the vulnerability.
Facebook informed De Ceukelaire that the NameTests app has approximately 120 million monthly active users. The ability to request data has existed since the beginning of last year, according to NameTests. According to De Ceukelaire, it was not possible to log out of the app and this was only possible by manually deleting the corresponding cookies. So even after the app was removed, it was still possible to retrieve data. Facebook has awarded a $4,000 reward. After De Ceikelaire said he would donate the amount to charity, the company doubled that amount.
Video with demonstration of De Ceukelaire