Hot on the heels of the Cambridge Analytica scandal, which saw the personal data of up to 87 million Facebook users collected by a third-party quiz and used to profile them for political campaigns without their knowledge, details have emerged about another vulnerability that has exposed the personal data of up to 120 million individuals for the last 18 months.
A quiz company called NameTests, which accessed personal data through the Facebook API, had a serious flaw in its website. Names, date of births, posts, statuses, pictures and friend lists of those taking part in online quizzes were all readily accessible, according to ethical hacker Inti De Ceukelaire, who goes by the Twitter tag @securinti. The data could be compromised even after the apps had been deleted.
De Ceukelaire reported the vulnerability to Facebook on 22 April, but a month later the social media firm told him it could take three to six months to investigate the issue. However, on 25 June he noticed that NameTest had fixed the vulnerability. The firm told him it had found no evidence of abuse by a third party.
The flaw appears to have existed since the end of 2016. NameTests has more than 120 million active monthly users so a considerable amount of personal data could potentially have been syphoned off and used for who knows what.
"Abusing this flaw, advertisers could have targeted (political) ads based on your Facebook posts and friends. More explicit websites could have abused this flaw to blackmail their visitors, threatening to leak your sneaky search history to your friends," De Ceukelaire wrote.
On 27 June Facebook contacted De Ceukelaire confirming the existence of the vulnerability and saying it was now fixed. On De Ceukelaire's request it donated $8,000 to the Freedom of the Press foundation as part of the data abuse bounty programme.
While there is no evidence that any personal data was abused as a result of the glitch, De Ceukelaire said that accessing the information was "easy". The real scandal is that a tech company as sophisticated as Facebook apparently views the security of third party apps using its API as a minor concern.
Microsoft receives a 30 per cent cut of all purchases on the Xbox digital store
Credit card thieves used Apple ID accounts to buy and sell virtual currency for Clash of Clans and Clash Royale and Marvel Contest of Champions
$5.1bn fine further evidence that the EU is anti-US, claims Trump
New cable will connect Virginia to France