Facebook shells out $8k bug bounty after quiz web app used by 120m people spews profiles
Infosec bod shops NameTests, claims leaky code exposes info
Facebook has forked out an $8,000 reward after a security researcher flagged up a third-party web app that potentially exposed up to 120 million people's personal information from their Facebook profiles.
This is quite possibly the first cash payment under the social network giant's new data abuse bug bounty program.
The under-fire Silicon Valley goliath introduced the bug bounty program in April after the Cambridge Analytica data-harvesting scandal. It offered a minimum of $500 – and no maximum – for anyone that provided proof that a third-party app had collected and transferred Facebook profile data to other parties. It is also a handy PR move by the biz.
Given that it’s only been two months since the scheme was launched and these kinds of investigations can take up to six months, it’s likely that this payout is the first, though Facebook have yet to confirm that this is the case, along with how many other reports are being investigated.
The bounty was awarded after self-described ethical hacker Inti De Ceukelaire found the quiz app at Nametests.com potentially exposed the data of more than 120 million monthly users.
In a blog post yesterday, De Ceukelaire said the web app fetched his personal data and stored it at
nametests.com/appconfig_user, and was available for other sites to swipe it while he remained logged in. “In theory, every website could have requested this data,” he said.
Facebook: Look at our latest bug bounty that proves we're serious!READ MORE
Essentially, a malicious webpage in another tab can request the above URL to grab your profile details, once you've connected Nametests to your Facebook account. The app attempts to work out "what does your name really mean?"
Information revealed included first name, last name, language, gender and birth date – all of which would remain accessible even after the app was disconnected from a Facebook account. In addition, a token also gave access to all the data the user had authorised the application to access, which might include photos, posts or friend lists.
“I was shocked to see that this data was publicly available to any third-party that requested it,” said De Ceukelaire.
To demonstrate that the information could be nabbed, De Ceukelaire set up a website that connects to NameTests and gains access to a person’s posts, photos, and friends for up to two months. Here's a video demonstrating the slurp:
NameTests was launched in 2015, and De Ceukelaire reckons the flaw was present since 2016, and, as the app claims some 120 million users each month, it could have affected a large number of people.
“Abusing this flaw, advertisers could have targeted (political) ads based on your Facebook posts and friends,” the researcher said. “More explicit websites could have abused this flaw to blackmail their visitors, threatening to leak your sneaky search history to your friends.”
However, as De Ceukelaire pointed out, it isn't clear how many people, if any, have been affected, noting also that only users that visited an attacker's website would have their data leaked to the attacker.
An early starter
De Ceukelaire reported the bug on April 22, just 12 days after bug bounty program was announced, and this week spotted that NameTests had changed the way it processed data, with third parties no longer able to download the information.
On contacting the Zuckerborg, the biz agreed to pay a bounty of $4,000, which it doubled because De Ceukelaire had requested it be given to non-profit the Freedom of the Press Foundation (every chance for a good PR opp, eh?).
Ime Archibong, veep of product partnerships at Facebook, said: “A researcher brought the issue with the nametests.com website to our attention through our Data Abuse Bounty Program that we launched in April to encourage reports involving Facebook data. We worked with nametests.com to resolve the vulnerability on their website, which was completed in June.”
However, the presence of such a simple flaw raises questions about Facebook's screening processes, as basic security tests should have spotted the problem.
No foul on our part
For its part, NameTests.com has a set of guarantees on its feedback page, which includes that data will never been sold to third parties, that users can unsubscribe at any time and that it complies with "strict data protection laws."
In a statement to El Reg, it said that data security was taken very seriously and measures were being taken to avoid risks in the future. It added: "The investigation found that there was no evidence that personal data of users was disclosed to unauthorised third parties and all the more that there was no evidence that it had been misused."
Meanwhile, Facebook is undertaking a wider probe into apps that accessed user data before the firm announced changes to its Graph API use policies in 2014 – this is at the heart of the Cambridge Analytica scandal because it allowed the app developed by GSR to suck up info on not just a user, but also all of their friends.
Last month, the tech giant offered a progress update, saying that it had suspended 200 apps "pending a thorough investigation into whether they did in fact misuse any data."
The biz has promised to notify users if there is evidence of any apps misusing data. ®