Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Faces New Accusation of Data Leak Via Quiz App (politico.eu)

Posted by msmash on from the gift-that-keeps-giving dept.

A security failure in a popular quiz app on Facebook left millions of people's data exposed for almost two years, a cybersecurity activist revealed Thursday. From a report: The application, called Nametests.com, has run Facebook quizzes for years, but it left unprotected the personal data of Facebook users taking such a quiz on its website, allowing third parties to read and steal the data, the activist said. The leak was discovered by Belgian hacker Inti de Ceukelaire, who published his findings in a blog post. "There was a security leak at one of the most popular quiz apps that was accessible for at least two years," De Ceukelaire told POLITICO. "I can only note that Facebook didn't see this." He added that the data exposed included pictures, status updates, friends lists and more.

22 comments

  1. belgium gets they shit pushed in by england by Anonymous Coward · · Score: 0, Troll

    One of the basic principles of javascript is that it can be shared with other websites. Since NameTests displayed their user’s personal data in javascript file, virtually any website could access it when they would request it.

    1. Re:belgium gets they shit pushed in by england by Anonymous Coward · · Score: 0

      "Since NameTests displayed their user’s personal data in javascript file"

      WTF does that even mean. Javascript cannot save files.

    2. Re: belgium gets they shit pushed in by england by Anonymous Coward · · Score: 0

      ??

      https://stackoverflow.com/questions/13405129/javascript-create-and-save-file

    3. Re: belgium gets they shit pushed in by england by Anonymous Coward · · Score: 0

      So those idiots wrote the data on the person's computer and other websites read that data.

      The problem is with these idiots, not javascript. File systems don't have the means to lock files to particular domain names for scripts run by a browser.

    4. Re: belgium gets they shit pushed in by england by Anonymous Coward · · Score: 0

      Not sure tbh. I haven't read the detailed article. Only TFS.

    5. Re:belgium gets they shit pushed in by england by Joce640k · · Score: 2

      "Since NameTests displayed their user’s personal data in javascript file"

      WTF does that even mean. Javascript cannot save files.

      It can't save file on the local machine but it can certainly scrape a web page and send the contents to a server.

      Or maybe it means they did:

      document.write("Joe Sixpack");

      And this info was scraped by another script.

      --
      No sig today...
  2. Facebook is a cancer by Anonymous Coward · · Score: 0

    Treat it as such.

    How to spot a Facebook cancer - find an imbecile taking a selfie, or chatting while walking.

  3. All kidding aside... by Rob+Y. · · Score: 3, Insightful

    ...why on Earth does Facebook pay for content with your data? Because that seems to be their business model. They want games, etc. in order to keep you on their site - and sell ads against you. So far, so good. But why not give 3rd party content providers a cut of the ad revenue? Isn't that what Google does with YouTube?

    As it is, Facebook seems to want the content - while hoarding all the ad revenue for itself. Nice business model, if you can manage to blur the lines enough so that your users don't understand just what greedy, unscrupulous shits you are. And 'they all do it' won't cut it. It just serves Facebook's agenda. They don't all do what is being described here. Only Facebook, that we know of, stoops that low.

    --
    Posted from my Android phone. Oh, I can change this? There, that's better...
  4. I don't think any facebook users care by Anonymous Coward · · Score: 0

    The only people that seem to care about all this facebook privacy stuff is the media. I never hear a facebook user complain. I think they understand that in return for using the platform for free they surrender their data.

  5. red devils dry bang three lions by Anonymous Coward · · Score: 0

    Think of it in terms of traditional media.
    You tube runs ads against content produced by others, and as such pays them a share. Facebook sells ads to people looking to in turn sell you something. They produce no content for the end user and as such don't get paid.

  6. Yes, but by orev · · Score: 1

    Yes, Facebook is bad, but this is on some PARTNER web site. Is Facebook (and every other Internet company) supposed to constantly pen test the sites of all their partners? They should probably have contracts in place, but legally the risk lies with Nametests, not Facebook. Facebook can only do so much to enforce the practices on their partners.

    1. Re:Yes, but by squiggleslash · · Score: 1

      Maybe it shouldn't be giving timelines and photos to third parties to begin with? What the f--- does a "Quiz App" need with that information?

      --
      You are not alone. This is not normal. None of this is normal.
  7. Facebook == Digital Tobacco by ytene · · Score: 2

    Hopefully we've reached a point where anyone old enough to buy tobacco understands that it kills, that it causes lunch cancer, throat cancer, hardens arteries, kills taste buds and is generally not very pleasant. Apparently, it's also highly addictive.

    Yet, dangerous as it is - and as widely as that danger is understood - people still smoke.



    In a similar way, Facebook is just as harmful. Although the fact that it's now widely understood that it can kill your privacy, a frightening number of users remain in either ignorance or denial of the way that it can harm their lives.

    Here are some [known, established examples] of the way that your Facebook profile can harm you:-

    - If you apply for a job today, many employers will search your FB profile to get an idea of your "maturity" and behaviours.
    - If you apply for health insurance or similar, companies will search your profile for evidence of you smoking, drinking to excess, participating in high-risk sports, etc.
    - If you apply for a credit card or loan, banks will search your network of friends for any with bad credit histories, criminal convictions or other "red flags".
    - If you "pull a 'sickie'" and call in to work sick, companies will search your social media profiles for activity on those days
    - on and on and on...

    Here's the bottom line:-
    Very few people smoke and experience no ill effects
    Most smokers suffer illnesses, compromised immune systems, shortness of breath, lack of fitness and die earlier than non-smokers
    Quite a few smokers contract serious illnesses, including cancers, and experience abnormally premature death


    Face book is like that:-
    Very few Facebook users will be able to access the platform with no ill effects on their lives
    Most users will experience ill-effects, although they may not even be aware of it happening. Credit cards might charge a bit more; job applications might be unsuccessful, that sort of thing.
    And a smaller but unknown number of Facebook users could experience serious ill-effects from use of the platform, although, I'd concede, these are people who do something a little foolish like post to say they are overseas on holiday and then get back to find their home has been burgled...

    Just to be clear, I'm not suggesting that Facebook are directly degrading people's lives. Rather, they are selling access to your data to other companies that can degrade your life. Bottom line?

    If you don't want ill-effects, don't use it. Just say no.

    1. Re:Facebook == Digital Tobacco by Cro+Magnon · · Score: 1

      In a similar way, Facebook is just as harmful. Although the fact that it's now widely understood that it can kill your privacy, a frightening number of users remain in either ignorance or denial of the way that it can harm their lives.

      Here are some [known, established examples] of the way that your Facebook profile can harm you:-

      - If you apply for a job today, many employers will search your FB profile to get an idea of your "maturity" and behaviours.

      - If you apply for health insurance or similar, companies will search your profile for evidence of you smoking, drinking to excess, participating in high-risk sports, etc.

      - If you apply for a credit card or loan, banks will search your network of friends for any with bad credit histories, criminal convictions or other "red flags".

      - If you "pull a 'sickie'" and call in to work sick, companies will search your social media profiles for activity on those days

      - on and on and on...

      1. I don't display my immaturity on FB. There, I'm respectable, downright boring guy.

      2. I don't smoke, drink, or take dangerous chances. My only health vice is I drink too much Coke.

      3. None of my current FB friends have any known "red flags". A previous friend had issues, but he lost his FB account years ago due to pwnage.

      4. Unless I'm unconscious, or in a hospital, there's nothing odd about posting on FB while sick at home. Unless I'm stupid enough to post pics of the beach or whereever I'm really at.

      I'm not saying FB is good. It's not. But it's not that hard to be on it without having any problems. Just assume that whatever you do there is potentially public, regardless of your settings.

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
    2. Re:Facebook == Digital Tobacco by tlhIngan · · Score: 1

      In a similar way, Facebook is just as harmful. Although the fact that it's now widely understood that it can kill your privacy, a frightening number of users remain in either ignorance or denial of the way that it can harm their lives.

      Here are some [known, established examples] of the way that your Facebook profile can harm you:-

      - If you apply for a job today, many employers will search your FB profile to get an idea of your "maturity" and behaviours.

      - If you apply for health insurance or similar, companies will search your profile for evidence of you smoking, drinking to excess, participating in high-risk sports, etc.

      - If you apply for a credit card or loan, banks will search your network of friends for any with bad credit histories, criminal convictions or other "red flags".

      - If you "pull a 'sickie'" and call in to work sick, companies will search your social media profiles for activity on those days

      - on and on and on...

      1. I don't display my immaturity on FB. There, I'm respectable, downright boring guy.

      2. I don't smoke, drink, or take dangerous chances. My only health vice is I drink too much Coke.

      3. None of my current FB friends have any known "red flags". A previous friend had issues, but he lost his FB account years ago due to pwnage.

      4. Unless I'm unconscious, or in a hospital, there's nothing odd about posting on FB while sick at home. Unless I'm stupid enough to post pics of the beach or whereever I'm really at.

      I'm not saying FB is good. It's not. But it's not that hard to be on it without having any problems. Just assume that whatever you do there is potentially public, regardless of your settings.

      Problem is, that's showing a level of maturity that I don't think a lot of Facebook users have. Far too many people treat social media as a bragging medium - they feel like they must post something amazing on it and not appear "boring". Thus all those incidents of photos while drunk, taking a sick day to hit the beach (and SELFIES!), etc.

      I too lead a boring life, and I don't feel the need to post every minute of it. I like to keep to myself so I prefer not to share at all.

      Because you have to remember everything you post online IS public. "Privacy settings" are marketing tools meant to get people to spill their guts - if Facebook offered no privacy controls, no one would post half the stuff they do. But because they do, everyone posts all the crap online. Thus giving Facebook the information they so crave.

  8. who in their right mind uses facebook apps? by Anonymous Coward · · Score: 0

    I always had them disabled...

  9. Facebook or stupidthing.com's problem? by CharlesAKAChuck · · Score: 1

    I'm confused, some user goes to a website, that website is insecure, and that's somehow Facebook's fault?

    1. Re:Facebook or stupidthing.com's problem? by ytene · · Score: 2

      I think you'll find that in this case the circumstances were:-

      1. A company ran a quiz which was hosted on Facebook, with Facebook's permission.

      2. The same company then, also with Facebook's permission, exported a whole stack of data, from Facebook, to a.n.other web site.

      3. Then the a.n.other web site, which was insecure, exposed all the data from Facebook users.

      I understand why you might wonder, "Is that Facebook's problem?" and the answer is that Facebook has what is legally known as a "duty of care" [which originates from tort law] and which basically says that because this process was originally hosted by Facebook, so they had a duty of care to ensure that the data that was collected was not irresponsibly exposed.

      To be fair, the law is going to hit a "grey area" when it comes to the point at which FB ended their responsibility to oversee the data. For example, once the transfer had completed and it was no longer in their legal custody, a court might accept that responsibility had ended. But there are exceptions - such as whether the transfer mechanism was encrypted or not [which would turn on whether the information included "Personally Identifying Information" and so on.

      There's also the question of whether or not quiz participants were clearly told that their answers would be exported off of FB's site, used by a third party, etc. Or whether it was simply a case of "Try this fun quiz!" The conditions surrounding the way in which they quiz was presented to participants would likely turn on FB's own "Code of Conduct" or "Terms of Service", so although you are technically correct to say, "But the data was stolen from some other ransom server. Why are FB responsible for that?" the answer might be a subtle one, along the lines of:- "Well, FB are responsible for allowing the data to be exported to that server in the first place..."

      None of this answer is based on either certainty of the facts; I have no inside knowledge of the scenario... Just trying to extrapolate from what's being publicly reported...

  10. Who the fuck is still using FACEBOOK anymore?!? by Hallux-F-Sinister · · Score: 1

    Seriously... what idiot is still using Face... (--- checks to make sure old Facebook login doesn't work --- "okay, good, it doesn't,") ... is still using Facebook anymore?

    --
    Our reign has gone on long enough. Indeed. Summon the meteors.
  11. Facebook faces lost face over losing face pictures by omfglearntoplay · · Score: 1

    Millions of faces
    Peaches for me
    Millions of faces
    Peaches for free
    Millions of faces
    Peaches for me
    Millions of faces
    Peaches for free
    LOOKOUT! ... JUM JUM JUM, jum jum jum.

  12. Remind me again, How many employees? by goombah99 · · Score: 1

    Face book is freaking enormous. What the hell do all these people do if not security design and security inspection? Pass a law making them liable. Screw it if it puts them out of bussiness.

    --
    Some drink at the fountain of knowledge. Others just gargle.