Quiz app on Facebook accidentally exposes information of 120M users

Close-up of a key and padlock lying on a red binary code surface. The lock is unlocked and gives a glowing grid.

(This content is subject to copyright.)

A quiz app on Facebook can tell you which Disney princess you are is also the leakage of the personal information of its 120 million users.

The quiz app from apparently, it was the save of the personal data of its users in a rather sloppy way; the data circulating through a public Javascript file that other websites can in theory access.

“I was shocked to see that this information will be publicly available to third parties that requested it,” said Inti De Ceukelaire, a Belgian security researcher who discovered the data leak.

On Wednesday, he published a blog post, a description of how the Javascript file could jeopardize the privacy of users. Website of a third party could exploit the Javascript file to see if incoming visitors with a Facebook profile. If the visitors, the website to harvest the details of the Facebook profiles, including name, age, date of birth and gender.

More From PCmag

  • Sony Xperia XZ2 Premium Is July 30 for $999.99

  • New Instagram Feature Allows You to Add Music to Stories

  • Offers: 25% Discount On The Segway Scooter, $20 Audible Credit

  • Kroger Taps Self-driving Cars to Deliver Groceries

The Ceukelaire demonstrated the threat by creating a website of your own that you can retrieve data from the quiz app’s Javascript file. All users of the quiz app that have visited his website would not only be their Facebook data harvested, but also their photos and friends list.


“There is just one visit to our website to get access to someone’s personal information for up to two months,” he wrote in his blog post. “I would suggest that you do not want a website to know who you are, let alone to steal your information or photos.”

The incident was discovered when Facebook is still facing some blowback from the Cambridge Analytica scandal, which is in a separate personality testing of the app. In that case, the app intentionally misused Facebook data practices harvest people’s personal information for political ad targeting purposes. As much as 87 million users have been affected.

The leakage of information which does not seem to be deliberate. The Ceukelaire speculates that the error may have arisen from a “rookie programming language.” Nevertheless, the exposure of data has been around since at least the end of 2016.

The Ceukelaire reported the problem to Facebook in April by the new bug bounty ‘ program, which was introduced in response to the Cambridge Analytica scandal.

“This is exactly the reason why we started with our Data Misuse Bounty Program in April: to reward people for reporting of potential issues,” Facebook said in a public post about the error, which the company helped to solve the problem.


“To be on the safe side, we have revoked the access tokens for everyone on Facebook who has signed up to use this app. So people have to re-authorize the app to continue using it,” Facebook added.

The developers behind Social loved ones, said it is also found no evidence that bad actors ever abused the error.

However, The Ceukelaire said the whole incident raises serious questions about how Social Sweethearts is the processing of the data of its users. He also noted that Facebook is more than two months before it is finished with its investigation, and finally restored the error. During that time, the quiz apps out were still up and running.

“I am pleased that both Facebook and NameTests worked and the problem is solved,” he said in his blog post. “On the other hand, we cannot accept that the information of the hundreds of millions of users would be leaked so easily. We can and must do better.”

To protect yourself, The Ceukelaire recommends that you remove apps from Facebook that you no longer use.

This article originally appeared on

Follow us

Don't be shy, get in touch. We love meeting interesting people and making new friends.

Most popular