Facebook shells out $8k bug bounty after quiz web app used by 120m people spews profiles

Infosec bod shops NameTests, claims leaky code exposes info

Facebook has forked out an $8,000 reward after a security researcher flagged up a third-party web app that potentially exposed up to 120 million people's personal information from their Facebook profiles.

This is quite possibly the first cash payment under the social network giant's new data abuse bug bounty program.

The under-fire Silicon Valley goliath introduced the bug bounty program in April after the Cambridge Analytica data-harvesting scandal. It offered a minimum of $500 – and no maximum – for anyone that provided proof that a third-party app had collected and transferred Facebook profile data to other parties. It is also a handy PR move by the biz.

Given that it’s only been two months since the scheme was launched and these kinds of investigations can take up to six months, it’s likely that this payout is the first, though Facebook have yet to confirm that this is the case, along with how many other reports are being investigated.

The bounty was awarded after self-described ethical hacker Inti De Ceukelaire found the quiz app at Nametests.com potentially exposed the data of more than 120 million monthly users.

Grabby code

In a blog post yesterday, De Ceukelaire said the web app fetched his personal data and stored it at nametests.com/appconfig_user, and was available for other sites to swipe it while he remained logged in. “In theory, every website could have requested this data,” he said.

Trying to catch money in a net

Facebook: Look at our latest bug bounty that proves we're serious!


Essentially, a malicious webpage in another tab can request the above URL to grab your profile details, once you've connected Nametests to your Facebook account. The app attempts to work out "what does your name really mean?"

Information revealed included first name, last name, language, gender and birth date – all of which would remain accessible even after the app was disconnected from a Facebook account. In addition, a token also gave access to all the data the user had authorised the application to access, which might include photos, posts or friend lists.

“I was shocked to see that this data was publicly available to any third-party that requested it,” said De Ceukelaire.

To demonstrate that the information could be nabbed, De Ceukelaire set up a website that connects to NameTests and gains access to a person’s posts, photos, and friends for up to two months. Here's a video demonstrating the slurp:

Youtube Video

NameTests was launched in 2015, and De Ceukelaire reckons the flaw was present since 2016, and, as the app claims some 120 million users each month, it could have affected a large number of people.

“Abusing this flaw, advertisers could have targeted (political) ads based on your Facebook posts and friends,” the researcher said. “More explicit websites could have abused this flaw to blackmail their visitors, threatening to leak your sneaky search history to your friends.”

However, as De Ceukelaire pointed out, it isn't clear how many people, if any, have been affected, noting also that only users that visited an attacker's website would have their data leaked to the attacker.

An early starter

De Ceukelaire reported the bug on April 22, just 12 days after bug bounty program was announced, and this week spotted that NameTests had changed the way it processed data, with third parties no longer able to download the information.

On contacting the Zuckerborg, the biz agreed to pay a bounty of $4,000, which it doubled because De Ceukelaire had requested it be given to non-profit the Freedom of the Press Foundation (every chance for a good PR opp, eh?).

Ime Archibong, veep of product partnerships at Facebook, said: “A researcher brought the issue with the nametests.com website to our attention through our Data Abuse Bounty Program that we launched in April to encourage reports involving Facebook data. We worked with nametests.com to resolve the vulnerability on their website, which was completed in June.”

However, the presence of such a simple flaw raises questions about Facebook's screening processes, as basic security tests should have spotted the problem.

No foul on our part

For its part, NameTests.com has a set of guarantees on its feedback page, which includes that data will never been sold to third parties, that users can unsubscribe at any time and that it complies with "strict data protection laws."

In a statement to El Reg, it said that data security was taken very seriously and measures were being taken to avoid risks in the future. It added: "The investigation found that there was no evidence that personal data of users was disclosed to unauthorised third parties and all the more that there was no evidence that it had been misused."

Meanwhile, Facebook is undertaking a wider probe into apps that accessed user data before the firm announced changes to its Graph API use policies in 2014 – this is at the heart of the Cambridge Analytica scandal because it allowed the app developed by GSR to suck up info on not just a user, but also all of their friends.

Last month, the tech giant offered a progress update, saying that it had suspended 200 apps "pending a thorough investigation into whether they did in fact misuse any data."

The biz has promised to notify users if there is evidence of any apps misusing data. ®

Similar topics

Narrower topics

Other stories you might like

  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading
  • Workday nearly doubles losses as waves of deals pushed back
    Figures disappoint analysts as SaaSy HR and finance application vendor navigates economic uncertainty

    HR and finance application vendor Workday's CEO, Aneel Bhusri, confirmed deal wins expected for the three-month period ending April 30 were being pushed back until later in 2022.

    The SaaS company boss was speaking as Workday recorded an operating loss of $72.8 million in its first quarter [PDF] of fiscal '23, nearly double the $38.3 million loss recorded for the same period a year earlier. Workday also saw revenue increase to $1.43 billion in the period, up 22 percent year-on-year.

    However, the company increased its revenue guidance for the full financial year. It said revenues would be between $5.537 billion and $5.557 billion, an increase of 22 percent on earlier estimates.

    Continue reading

Biting the hand that feeds IT © 1998–2022