Jul 01, 2018

'Nametests.com' App Left 120 Million Facebook Users' Data Exposed

Image: 'Nametests.com' App Left 120 Million Facebook Users' Data Exposed

    Nowadays Facebook apps have taken over our walls. From finding age to doppelganger these apps have just can do anything virtually. But the question is: Are they safe?


    Recently, researchers have found a privacy bug in an app hosted over Nametests.com. The flaw has been there at least since the end of 2016. Almost 120 million users who took the personality test there, are the victims of the incident. 

Overview of the Bug:

    This vulnerability resided in namtests.com serving users’ data to any third-party that requested it, without proper credentials. The issue in Nametests.com was reported by Inti De Ceukelaire, who discovered that, when loading a personality test, the website would fetch all of his personal information from http://nametests.com/appconfig_user and display it on the page.

    Normally web browsers prevent these attempts. But, Researcher Explains,

“Since NameTests displayed their user’s personal data in JavaScript file, virtually any website could access it when they would request it,”

Tests have been conducted:

    In the POC(Proof-of-Concept) that he sent to the authority, He set up a website that connected to Nametests.com and would fetch information about the visitor. The access token provided by Nametests.com could also be used to gain access to the visitor’s posts, photos and friends, depending on the permissions granted. He added, 

"It would only take one visit to our website to gain access to someone’s personal information for up to two months,"

Intermediate Solution:

    To prevent it, only deleting the app will not be enough, you have to clear browser cookies as the site provides no logout option. This method works for all malicious apps and sites as well.

Patches Rolled Out:

    After the Cambridge Analytica scandal, Facebook took a quick note on this and acted immediately. The bug was reported on April 22 and patched by June 25 to Facebook’s Data Abuse program. They announced that,

"this bug has affected Facebook information people shared with nametests.com. To be on the safe side, we revoked the access tokens for everyone on Facebook who has signed up to use this app. So people will need to re-authorize the app in order to continue using it"

No need to worry:

    NameTests.com confirms that "according to the data and knowledge they have, they found no evidence of abuse by a third party"

Time for Reward:

    Facebook has doubled the bounty $8000 for the bug as the researcher decides to donate the money to the "Freedom of the Press Foundation".

Whats your thought on facebook 3rd party apps? - Leave your comments below.

Leave a Reply :


Comments :

Be the first, to comment!