Sensitive Facebook information for upwards to 120 million users was put at hazard for years by a leaky quiz awarding visitor called Nametests.com, a security researcher disclosed today, proving what many experts previously suspected: Cambridge Analytica was the tip of the iceberg.

Inti De Ceukelaire, an upstanding hacker and issues bounty hunter, found that anyone could accept accessed the Facebook profile information of users signed up to i of the many quizes beingness circulated via the application. He discovered that the data—which included names, appointment of births, posts, statuses, pictures and friend lists—could be compromised even afterward the apps were deleted.

The researcher, who uploaded footage of the security issue to YouTube, said in a blog mail he was "shocked" to observe that the website would fetch a user's Facebook information and display it on an external webpage configured in a mode that could be accessed—and exploited—past literally anyone. "In a normal situation, other websites should not be able to access this information," he warned.

The outcome was reported to the Mark Zuckerberg-led platform on April 22 and resolved in late-June this year. Co-ordinate to net records, the flaw had existed since 2016. Nametests, which has 120 million monthly active users thank you to Facebook pages in different languages, offers tests and quizes which spread across social media. The developer said information technology had "no testify of abuse by a 3rd party."

Facebook
The Facebook logo on a broken screen of a mobile telephone. JOEL SAGET/AFP/Getty Images

But De Ceukelaire said the implications could exist significant. "I would imagine you wouldn't want whatever website to know who you are, allow alone steal your information or photos," he wrote.

"Abusing this flaw, advertisers could have targeted (political) ads based on your Facebook posts and friends," the researcher continued. "More explicit websites could have driveling this flaw to bribery their visitors, threatening to leak your sneaky search history to your friends." The issues was reported nether Facebook's Information Abuse Bounty Programme, enacted on April 10 to study suspected app issues.

To admission the quizes, the application requires users login via Facebook. De Ceukelaire said that it would have been "easy" for an attacker to create a booby-trapped website that stole their data.

It remains unclear if the information could have been exploited in bulk.

Nametests.com'southward terms of service state that the buy of and utilise of products "offered by third parties though the site is at your own discretion and hazard." The company claimed that it has already implemented heightened security measures, simply the truthful scope of the data leak remains murky. According to De Ceukelaire, it is highly probable that he was not the but person aware of the flaws.

"I tin can only say that information technology was actually easy to spot, and I would be surprised if nobody else institute this earlier, given the website claims to generate more than three billion page views every month, almost of which had references to the leaky Javascript," he wrote in the weblog mail service, continuing: "Nametests does state that, according to the data and noesis they have, they did not find whatsoever evidence of abuse."

The upstanding hacker said information technology was "important to note that if this flaw was ever driveling, but the users that really visited the attacker'due south website would have their information leaked to the attacker." Users could only stop the app from revealing data by manually deleting the cookies on their device, he added.

He advised anyone concerned about the incident to review and delete any unwanted applications.

For the discovery, the researcher was awarded $eight,000, which was donated to the to the Freedom of the Printing foundation. The original bounty was $4,000, but was doubled because it was given to charity.

Ime Archibong, vice president of product partnerships at Facebook, told Newsweek: "A researcher brought the issue with the nametests.com website to our attention through our Data Corruption Compensation Programme that we launched in April to encourage reports involving Facebook data. We worked with nametests.com to resolve the vulnerability on their website, which was completed in June."

Nametests is the work of German publisher Social Sweethearts, according to CrunchBase.

In a statement on Wednesday, Social Sweetheart told Newsweek: "The investigation found that there was no evidence that personal data of users was disclosed to unauthorized tertiary parties and all the more than that at that place was no evidence that it had been misused. Nevertheless, information security is taken very seriously at social sweethearts and measures are currently being taken to avoid risks in the hereafter."

Facebook best-selling that the bug "could have allowed an assailant to determine the details of a logged-in user to Facebook's platfom" if they were re-directed to a malicious website.

While De Ceukelaire welcomed the ready, he warned: "We cannot accept that the data of hundreds of millions of users could accept been leaked out so hands. We tin and must do ameliorate."

Earlier this year, Facebook was thrust into scandal afterward The Observer newspaper revealed that millions of accounts had been targeted by a U.One thousand-based political profiling outfit called Cambridge Analytica, which had known ties to the 2016 election campaign of U.Southward. president Donald Trump. Zuckerberg, feeling the heat, was forced to appear before politicians to answer questions about data misuse.

Facebook is currently conducting a full audit of its tertiary-party applications.

"I started Facebook, and at the end of the day I'm responsible for what happens on our platform," Zuckerberg conceded on March 21, as headlines mounted. "I'm serious most doing what it takes to protect our community. While this specific issue involving Cambridge Analytica should no longer happen with new apps today, that doesn't modify what happened in the past. We will larn from this feel to secure our platform farther and make our community safer for anybody going forrard."

FACEBOOK: MARK ZUCKERBERG
Mark Zuckerberg, Facebook'south co-founder and chief executive watches as Adam Mosseri, and then Facebook's director of product, demonstrates the new Facebook Dwelling for Android during a press event in Menlo Park, California, on April 4, 2013. Facebook is nether new pressure level following revelations about Cambridge Analytica's use of its user profiles. REUTERS/Robert Galbraith