What Is NameTests? Facebook Quiz App 'Exposed Data of 120 Million Users'

Sensitive Facebook information for up to 120 million users was put at risk for years by a leaky quiz application company called Nametests.com, a security researcher disclosed today, proving what many experts previously suspected: Cambridge Analytica was the tip of the iceberg.

Inti De Ceukelaire, an ethical hacker and bug bounty hunter, found that anyone could have accessed the Facebook profile information of users signed up to one of the many quizes being circulated via the application. He discovered that the data—which included names, date of births, posts, statuses, pictures and friend lists—could be compromised even after the apps were deleted.

The researcher, who uploaded footage of the security issue to YouTube, said in a blog post he was "shocked" to find that the website would fetch a user's Facebook information and display it on an external webpage configured in a way that could be accessed—and exploited—by literally anyone. "In a normal situation, other websites should not be able to access this information," he warned.

The issue was reported to the Mark Zuckerberg-led platform on April 22 and resolved in late-June this year. According to internet records, the flaw had existed since 2016. Nametests, which has 120 million monthly active users thanks to Facebook pages in different languages, offers tests and quizes which spread across social media. The developer said it had "no evidence of abuse by a third party."

But De Ceukelaire said the implications could be significant. "I would imagine you wouldn't want any website to know who you are, let alone steal your information or photos," he wrote.

"Abusing this flaw, advertisers could have targeted (political) ads based on your Facebook posts and friends," the researcher continued. "More explicit websites could have abused this flaw to blackmail their visitors, threatening to leak your sneaky search history to your friends." The bug was reported under Facebook's Data Abuse Bounty Program, enacted on April 10 to report suspected app issues.

To access the quizes, the application requires users login via Facebook. De Ceukelaire said that it would have been "easy" for an attacker to create a booby-trapped website that stole their data.

It remains unclear if the information could have been exploited in bulk.

Nametests.com's terms of service state that the purchase of and use of products "offered by third parties though the site is at your own discretion and risk." The company claimed that it has already implemented heightened security measures, but the true scope of the data leak remains murky. According to De Ceukelaire, it is highly likely that he was not the only person aware of the flaws.

"I can only say that it was really easy to spot, and I would be surprised if nobody else found this earlier, given the website claims to generate more than three billion page views every month, most of which had references to the leaky Javascript," he wrote in the blog post, continuing: "Nametests does state that, according to the data and knowledge they have, they did not find any evidence of abuse."

The ethical hacker said it was "important to note that if this flaw was ever abused, only the users that actually visited the attacker's website would have their data leaked to the attacker." Users could only stop the app from revealing data by manually deleting the cookies on their device, he added.

He advised anyone concerned about the incident to review and delete any unwanted applications.

For the discovery, the researcher was awarded $8,000, which was donated to the to the Freedom of the Press foundation. The original bounty was $4,000, but was doubled because it was given to charity.

Ime Archibong, vice president of product partnerships at Facebook, told Newsweek: "A researcher brought the issue with the nametests.com website to our attention through our Data Abuse Bounty Program that we launched in April to encourage reports involving Facebook data. We worked with nametests.com to resolve the vulnerability on their website, which was completed in June."

Nametests is the work of German publisher Social Sweethearts, according to CrunchBase.

In a statement on Wednesday, Social Sweetheart told Newsweek: "The investigation found that there was no evidence that personal data of users was disclosed to unauthorized third parties and all the more that there was no evidence that it had been misused. Nevertheless, data security is taken very seriously at social sweethearts and measures are currently being taken to avoid risks in the future."

Facebook acknowledged that the bug "could have allowed an attacker to determine the details of a logged-in user to Facebook's platfom" if they were re-directed to a malicious website.

While De Ceukelaire welcomed the fix, he warned: "We cannot accept that the information of hundreds of millions of users could have been leaked out so easily. We can and must do better."

Earlier this year, Facebook was thrust into scandal after The Observer newspaper revealed that millions of accounts had been targeted by a U.K-based political profiling outfit called Cambridge Analytica, which had known ties to the 2016 election campaign of U.S. president Donald Trump. Zuckerberg, feeling the heat, was forced to appear before politicians to answer questions about data misuse.

Facebook is currently conducting a full audit of its third-party applications.

"I started Facebook, and at the end of the day I'm responsible for what happens on our platform," Zuckerberg conceded on March 21, as headlines mounted. "I'm serious about doing what it takes to protect our community. While this specific issue involving Cambridge Analytica should no longer happen with new apps today, that doesn't change what happened in the past. We will learn from this experience to secure our platform further and make our community safer for everyone going forward."