Curious after the Cambridge Analytica scandal, Ceukelaire decided to take his very first Facebook quiz to use his hacking skills to see just how the third-party platform used his data. He used a platform most used by his Facebook friends, nametests.com, and took a quiz: “Which Disney Princess Are You?”
Once visiting that malicious webpage, data would be accessible for up to two months. Deleting nametests.com also doesn’t solve the issue — users also have to delete the cookies on the device to stop the data access.
As part of Facebook’s Data Abuse Bounty program, the vulnerability has now been corrected; Ceukelaire donated the reward to charity. Nametests says itdidn’t find anything suggesting the data was abused and says it put additional tests in to avoid similar data leaks in the future. Facebook also revoked all access to Nametests, which means users will have to grant the app permission again to continue using the quizzes.
But perhaps what is even more disconcerting is that after Cambridge Analatica, and after data researchers suggested that most Facebook quizzes exist to track your data, and after another quiz app was exposed, online quiz platforms can still say they have 120 million monthly users. Is finding out which Disney princess you are worth allowing another company to access your Facebook data?
Already take the quiz? Find out how to adjust your security settings here.