Yet Another Quiz App Harvested Facebook User Data After Cambridge Analytica

Months after the Cambridge Analytica scandal rocked Facebook’s public image and led to CEO Mark Zuckerberg directly addressing government bodies, it sounds like the root of the problem has not been entirely solved. A hacker found out that a popular Facebook quiz app had been harvesting data in a way that made it easily visible to third parties, similar to how the Cambridge Analytica problem started.

The exploit was found by Inti De Ceukelaire, a hacker who documented the process in a Medium post. De Ceukelaire had never taken a Facebook quiz before, so he found a quiz source called NameTests that his friends had used. While taking the quiz, he noted the app was taking all his personal information and storing it on a separate webpage.

The problem, De Ceukelaire noted, was that the data was stored in javascript. That meant it could be freely seen by other websites, as long as they decided to ask for it. He even set up a fake website to demonstrate exactly what kind of data NameTests was getting from its users, which can be seen in the video below.

De Ceukelaire reported the problem to Facebook, which the site asks its users to do as part of its Data Abuse Bounty Program. He told Facebook about what NameTests was doing on April 22, but Facebook’s responses were sparse and unsatisfactory. When he checked back in at the end of May, NameTests was still doing it.

Finally, by June 25, he noticed the harvesting had stopped. For his efforts, Facebook honored De Ceukelaire’s request and donated $8,000 to the Freedom of the Press Foundation. Facebook detailed the situation in a Thursday blog post, claiming the situation had been resolved by NameTest parent company Social Sweethearts and thanking De Ceukelaire for reporting the problem.

“We appreciate Inti’s work to identify this issue and Social Sweethearts’ quick action to fix it on their site,” Facebook wrote. “This is exactly why we launched our Data Abuse Bounty Program in April: to reward people for reporting potential problems.”

Social Sweethearts, for its part, claimed there was no reason to believe anyone’s data was used improperly in a statement to TechCrunch. Whether it was abused or not, situations like this raise eyebrows because the Cambridge Analytica scandal started with a quiz app that took users’ data without their explicit permission.

Aleksandr Kogan, the creator of that app, then sold the data to Cambridge Analytica. The election consulting firm used it to assist President Donald Trump’s 2016 presidential campaign.