[ad_1]
Following the confidentiality scandal of the Cambridge Analytica case, Facebook launched an audit of third-party applications that operate on its platform. While the process is still ongoing, about 200 applications have been suspended and this highlights many failures in user security. The most recent and disturbing: the leak of Quiz application for years with information of 120 million users, reports "TechCrunch".
The CEO of Facebook Mark Zuckerberg, is committed to investigating applications that had access to large amounts of information before modifying our platform to significantly reduce the amount of information available. access to data in 2014, and perform a full audit of any application with suspicious activity. "Thus, amid the tumult of Cambridge Analytica, the Quiz case, a quiz app, was discovered.
Quiz counted 120 million monthly users.Its fault was discovered at the end of the year. April and modified only a month later.The problem for Facebook would materialize if it did not reveal to the concerned users that their personal information was in danger, that is at least in Europe through the GDPR regulatory law that came into effect on May 25 – and the solution arrived in June –
Facebook did not uncover the error
Before the audit does not reveal the failure to privacy, a security researcher found the mistake. Calling as the "hacker" Inti De Ceukelaire, explained in a report that sought data abusers in Facebook in order to obtain a reward promised by the r social network to those who denounced these facts. He started looking for third-party apps used by his friends on the social network: Quiz was one of the most popular.
Quiz already had a reputation of "traffic" with data. This is as De Ceukelaire understood it. He took the application of the Brand NameTests.com and quickly found that the company was exposing the user data of Facebook to "any third party who made it the request". It was done in a javascript file, which potentially exposed the identification, personal file and other data recorded in the users of Facebook to any Web site .
He also found that he was offering an access token providing access to even more comprehensive data, such as publications, photos and friends on the social network. This depended on the type of application questionnaire in order to collect different information from users. And these have been on display since at least the end of 2016. While NameTests is featured as "our goal is simple: make people smile!" Adding that his tests are meant to be a little "funny". "
So, when a user performed a test like" what Dragon Ball character you are, what he did was offer his personal information. According to De Ceukelaire, the company would continue to reveal information about users even after their app deletion. To avoid this, users should manually delete cookies from their device because NameTests does not offer the possibility of disconnecting.
Ceukelaire and "TechCrunch" contacted NameTests to discuss the issue, the parent company, the German company Social Sweethearts, said in a statement that she was carefully addressing the issue and that "l & rsquo; Investigation revealed that there was no evidence that the data personal information of the users were disclosed to unauthorized third parties and even more so that there was no evidence that they had been misused. "
Facebook replied
ue Social Sweethearts said that she was taking steps to avoid future risks, Facebook said that she would conduct her own investigation when she was not in charge. she would be alerted by De Ceukelaire on April 30. The social network, consulted several weeks later, has only managed to explain that it would take three to six months to complete his work.On June 25, NameTests had closed the Two days later, the social network admits the error
"This [el error] could have allowed an attacker to determine the details of a user connected to the platform." Facebook ", says the social network.He also said that he had crossed information with NameTests to confirm that the problem had been solved.Although the applications of this company still work on the social network , auc Suspicious evidence of activity has been found in blocked applications.
Finally, the social network paid a double reward of $ 4 thousand to a charity, according to its reward program for errors in data abuse. This at the request of De Ceukelaire.
Source link
