Skip to main content

What kind of data leak are you? Hacker says Facebook quizzes still leak data

History has a tendency to repeat itself. Months after Cambridge Analytica, 120 million Facebook users could have their data accessed by malicious websites after a quiz company put data like name, gender, and even photos inside easily accessible Javascript. As Facebook continues auditing hundreds of third-party apps, hacker Inti De Ceukelaire shared how a security vulnerability on the quiz platform nametests.com could have exposed data of 120 million users.

Curious after the Cambridge Analytica scandal, Ceukelaire decided to take his very first Facebook quiz to use his hacking skills to see just how the third-party platform used his data. He used a platform most used by his Facebook friends, nametests.com, and took a quiz: “Which Disney Princess Are You?”

Recommended Videos

Using his hacking background, Ceukelaire followed the data and found his information inside easily accessible Javascript. The format of Javascript is designed to be shared, which means that any site that you visit after that test could access that data. The data include things like username, gender, friend lists. and shared posts.

The nature of Javascript means that someone who took the test would have to visit a malicious website for a data leak to occur, so the flaw doesn’t mean that data for all 120 million users of the platform was compromised. The easy accessibility of that data, however, is concerning, Ceukelaire says. As an example of just what could happen with that type of security flaw, a pornographic website could access a friend list and use that friend list to blackmail users with the threat of exposure, Ceukelaire suggested.

Once visiting that malicious webpage, data would be accessible for up to two months. Deleting nametests.com also doesn’t solve the issue — users also have to delete the cookies on the device to stop the data access.

As part of Facebook’s Data Abuse Bounty program, the vulnerability has now been corrected; Ceukelaire donated the reward to charity. Nametests says itdidn’t find anything suggesting the data was abused and says it put additional tests in to avoid similar data leaks in the future. Facebook also revoked all access to Nametests, which means users will have to grant the app permission again to continue using the quizzes.

But perhaps what is even more disconcerting is that after Cambridge Analatica, and after data researchers suggested that most Facebook quizzes exist to track your data, and after another quiz app was exposed, online quiz platforms can still say they have 120 million monthly users. Is finding out which Disney princess you are worth allowing another company to access your Facebook data?

Already take the quiz? Find out how to adjust your security settings here.

Hillary K. Grigonis
Hillary never planned on becoming a photographer—and then she was handed a camera at her first writing job and she's been…
How to deactivate your Instagram account (or delete it)
A person holding a phone with the Instagram app open on it.

Oh, social media. Sometimes it’s just too much, folks.

If you’re finding yourself in a position where shutting down your Instagram account for a period of time sounds good, the people at Meta have made it pretty simple to deactivate it. It’s also quite easy to completely delete your Instagram, although we wouldn’t recommend this latter option if you plan on returning to the platform at a later date.

Read more
Bluesky finally adds a feature many had been waiting for
A blue sky with clouds.

Bluesky has been making a lot of progress in recent months by simplifying the process to sign up while at the same time rolling out a steady stream of new features.

As part of those continuing efforts, the social media app has just announced that users can now send direct messages (DMs).

Read more
Reddit just achieved something for the first time in its 20-year history
The Reddit logo.

Reddit’s on a roll. The social media platform has just turned a profit for the first time in its 20-year history, and now boasts a record 97.2 million daily active users, marking a year-over-year increase of 47%. A few times during the quarter, the figure topped 100 million, which Reddit CEO and co-founder Steve Huffman said in a letter to shareholders had been a “long-standing milestone” for the site.

The company, which went public in March, announced the news in its third-quarter earnings results on Tuesday.

Read more