Facebook has been through a lot of changes after the Cambridge Analytica data scandal in which millions of individuals’ private data was collected without their knowledge. It took weeks before users that were on edge started to settle down. It only took a few months, however, before an ethical hacker called Inti De Ceukelaire discovered a bug that could lead to the same type of data-leaking that Facebook is now hard at work to prevent. This time, however, there was no massive outcry, and there are reasons for this, which we’ll explain. We’ll also show you how you can set Facebook up in such a way you can prevent being victimized.
What Happened?
After the Cambridge Analytica data mining operation, Facebook held a bug bounty that offered a decent payout for anyone who found problems with its system. Inti, an ethical hacker who often participates in bug bounties, was determined to find something worthy of the social network’s “data abuse bounty program.”
After a bit of trial and error, he found something surprising that could compromise more than 120-million users on the platform.
If you have ever taken one of those little personality tests or quizzes on Facebook that ask you for certain permissions, you’ve probably landed on the bug he found. The hacker set up a test site to see if he could pull up someone’s data using a JavaScript request and was able to use a separate database set up by “Nametests.com” to get whatever he pleased.
From the modest amount of data that the quiz developer had on him, he was able to query Facebook for several other things like profile picture history, friends’ pictures, etc. One could theoretically crawl even further and build an entire tree of data based on this and other users who have used the app. Keep in mind that most people catch wind of these inane quizzes through their friends who often share their results.
These quizzes are often centered around mundane things like “Which Disney princess are you?” or “Which classical musician are you?” What’s the harm in that?
As Inti found, there is much potential harm.
Let’s Be Fair
After Inti found the bug, he reported it to Facebook. This happened on April 22, 2018. On June 28, 2018, Facebook announced the discovery and the bounty payment to Inti, saying that it worked with the Nametests.com developer (Social Sweethearts) to get this sorted out quickly.
To be on the safe side, we revoked the access tokens for everyone on Facebook who has signed up to use this app. So people will need to re-authorize the app in order to continue using it.
As far as we know no one has tried to exploit the bug during the time it existed, so mission accomplished!
Why You Still Need To Protect Yourself
Despite Facebook’s best efforts, we have no way of knowing whether their patch with Social Sweethearts actually would prevent further attempts of this type of data mining from other firms and individuals. It’s not a given that your data is secure because one hole in the system was plugged up. For this reason you really should take more control of your information by following the steps below.
- Go to your Settings and navigate to “Apps and Websites.”
- Review the apps that you are currently logged into and remove them. You can also edit the permissions of any app you decide to keep.
To be sincere, I was going to also advise you to go to the “Apps Others Use” section of your preferences, but Facebook apparently removed it. Here’s what the company said:
These outdated settings have been removed because they applied to an older version of our platform that no longer exists.
It’s not very clear on whether the settings were removed because your data can no longer be accessed by applications your friends use or if this will now be permanently enabled.
For this reason you should be extra careful about the data you share with friends on Facebook. If there’s something sensitive, make a phone call or simply step outside into the fresh air and go jogging, biking, or just sit in a cafe with a friend. It’s old tech, but it’s good for you!
What other steps do you take to protect your data on Facebook? Share them with us!
