Facebook Fails Again to Prove That It’s Serious About Personal Data

“I want to share an update on the Cambridge Analytica situation — including the steps we’ve already taken and our next steps to address this important issue,” said Facebook’s CEO, Mark Zuckerberg, in a post on March 21st.

“First, we will investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and we will conduct a full audit of any app with suspicious activity.”

Facebook has so far suspended around 200 apps as a result of the ongoing audit – something that comes as a surprise to no one. But now news is emerging about the credibility of its audit. It seems that, after receiving complaints about a quiz app that might have leaked information on its 120 million users, it took Facebook one month to fix it.

The Hunt Begins

Following the Cambridge Analytica scandal, Facebook announced the launch of a bounty program in April, which rewarded people for flagging apps that misuse data. An ethical hacker by the name of Inti De Ceukelaire was one of those who took part in the hunt. He soon found that personality quizzes created by Nametests.com were fetching his personal information and making it publicly available to third parties.

Nametests is the maker of popular Facebook personality quizzes, which claims to have more than 120 million users.

De Ceukelaire tried to simulate a data leak: he set up a website to connect to Nametests.com and found that one visit to the website was enough to provide access to personal Facebook data for up to two months, even if a user deleted the app.

The exposed data contained the following: Facebook ID, first name, last name, language, gender, date of birth, profile picture, cover photo, currency, devices you use, when your information was last updated, posts and statuses, photos and friends.

De Ceukelaire reported the bug to Facebook on April 22, but the loophole wasn’t fixed until June 25.

But even after the fix, it remains unknown who may have accessed or stored that data. We probably won’t find out until the next big scandal emerges. The company behind Nametests, a German firm called Social Sweethearts, have stated that there was no evidence that personal data of users was disclosed to unauthorized third parties and that there was no evidence that it had been misused.