We've all seen those quizzes on Facebook that answer such important questions as "What tattoo should you get?" and "Who were you in a past life?". While they may look harmless it turns out one of the creators of those surveys has been leaking personal data for the last two years. Just to add salt to the wound, Facebook didn't check the app properly.
Nametests.com has been running Facebook quizzes for a couple of years. Belgian hacker Inti De Ceukelaire recently scored an $8,000 bug bounty from Facebook, which was donated to the Freedom of the Press Foundation as part of their Data Abuse Bounty Program, after discovering a significant data leak.
That bug bounty program was launched following the Cambridge Analytica leaks that created a sinkhole of misery for Facebook and saw their founder and CEO Mark Zuckerberg dragged in front of hearings on both sides of the Atlantic.
De Ceukelaire started his analysis by taking his first ever Facebook quiz and discovered that personal data harvested by the quiz was accessible to any third party.
There's a full explanation on his blog. He even found an unauthorised website using his data.
To get some idea of the scope of this leak, Nametests has over 120 million active users each month but there's no telling whose data or how much data has been leaked.
If you've used Nametests in the past you can remove it from your Facebook apps. That won't retrieve any leaked data but at least you can stop further leaks as your personal data changes and send the developers a message that you won't be using their surveys again. To do that:
- Log into Facebook and go to Settings and then open the Apps and websites link
- Search for Nametests
- Select it by clicking the checkbox adjacent to its name
- Click the Remove
While you're there, take a look at what other apps and websites are linked to your Facebook account and decide whether you want to keep them or not.
While those quizzes look like a bit of fun, they can be ways of harvesting data. Over the last few months it's become clear that Facebook's processes for ensuring your data is protected have not been up to snuff. That means you need to take greater care as it's simply not possible to trust other parties to always do that for you.