This popular Facebook app publicly exposed your data for years

According to nametests.com, if I were a Disney Princess, I would be Jasmine.
In theory, every website could have requested this data. Note that the data also includes a ‘token’ which gives access to all data the user authorised the application to access, such as photos, posts and friends.
NameTests wants to know who you are so they ask nametests.com/appconfig_user, but any other website could do that as well.
An unauthorised website getting access to my Facebook information

Timeline of events:

On April, 22nd, I reported this to Facebook’s Data Abuse program.

FAQ

  • How many users were affected?
There are so many NameTests pages that I only published the ones with +1M likes.
  • How long did this flaw exist?
  • Did NameTests know about this?
  • Was this flaw ever discovered by someone else?
  • What data could have been leaked?
  • What data could have been leaked after the app was deleted?
  • How can I protect myself from against these kind of leaks?

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Inti De Ceukelaire

Inti De Ceukelaire

Hacker @securinti | Head of Hackers @intigriti