When Cambridge Analytica unethically accessed Facebook users¡¯ private data and manipulated it for their gain everyone was in an uproar.
So you¡¯d probably be pretty mad to hear that another developer somehow did worse.
German app maker Social Sweethearts is a developer that¡¯s been very active on Facebook. They¡¯ve built at least dozens of quizzes for the platform under the NameTests brand, social questionnaires like ¡°Which Disney Princess Are You? Now, the thing is they were doing like Cambridge Analytica and gathering personal data from Facebook like your name, birthday, photos, and friends lists. Yet, that¡¯s not even the worst.?
No, the worse news comes from white hat hacker Inti De Ceukelaire in a Medium post yesterday. In it, he detailed the kind of data Social Sweethearts was gathering, and how they were storing it in a Javascript file, one that malicious hackers could easily obtain. All 120 million users' worth of it.
Ceukelaire says he tried to contact Facebook and warn them of the vulnerability multiple times, but was given a lukewarm response saying they would look into it. It was only months later this June, after the Cambridge Analytica scandal brought Facebook¡¯s data practices under the scanner, that Ceukelaire noticed NameTests had finally changed its process and walled up the vulnerability. Hence the Medium post making it public.
Social Sweethearts, for its part, has denied there was any evidence that third parties got their hands on the data or misused it in any fashion. ¡°As the data protection officer of Social Sweethearts, I would like to inform you that the matter has been carefully investigated,¡± the company told TechCrunch in a statement. ¡°The investigation found that there was no evidence that personal data of users was disclosed to unauthorized third parties and all the more that there was no evidence that it had been misused. Nevertheless, data security is taken very seriously at Social Sweethearts and measures are currently being taken to avoid risks in the future.¡±
Facebook meanwhile says it tackled the issue through its Data Abuse Bounty Program process. ¡°A researcher brought the issue with the nametests.com website to our attention through our Data Abuse Bounty Program that we launched in April to encourage reports involving Facebook data. We worked with nametests.com to resolve the vulnerability on their website, which was completed in June,¡± vice president of product partnerships at Facebook, Ime Archibong, told TechCrunch.
This is just another example of possibly many security issues auditors are likely to bring to the forefront in the wake of Cambridge Analytica. It fits in with the previous narrative of the social media giant playing fast and loose with customer data, its primary revenue stream. And now that people are more aware of what¡¯s going, it ain¡¯t gonna fly any more.