Facebook shells out $8k bug bounty after quiz web app used by 120m people spews profiles

www.theregister.co.uk | 6/28/2018 | Staff
cindy95240 (Posted by) Level 3
Click For Photo: https://regmedia.co.uk/2015/04/22/clint_eastwood.jpg?x=1200&y=794

Facebook has forked out an $8,000 reward after a security researcher flagged up a third-party web app that potentially exposed up to 120 million people's personal information from their Facebook profiles.

This is quite possibly the first cash payment under the social network giant's new data abuse bug bounty program.

Silicon - Valley - Goliath - Bounty - Program

The under-fire Silicon Valley goliath introduced the bug bounty program in April after the Cambridge Analytica data-harvesting scandal. It offered a minimum of $500 – and no maximum – for anyone that provided proof that a third-party app had collected and transferred Facebook profile data to other parties. It is also a handy PR move by the biz.

Given that it’s only been two months since the scheme was launched and these kinds of investigations can take up to six months, it’s likely that this payout is the first, though Facebook have yet to confirm that this is the case, along with how many other reports are being investigated.

Bounty - Hacker - Inti - De - Ceukelaire

The bounty was awarded after self-described ethical hacker Inti De Ceukelaire found the quiz app at Nametests.com potentially exposed the data of more than 120 million monthly users.

In a blog post yesterday, De Ceukelaire said the web app fetched his personal data and stored it at nametests.com/appconfig_user, and was available for other sites to swipe it while he remained logged in. “In theory, every website could have requested this data,” he said.

Facebook - Look - Bug - Bounty

Facebook: Look at our latest bug bounty that proves we're serious!

Essentially, a malicious webpage in another tab can request the above URL to grab your profile details, once you've connected Nametests to your Facebook account. The app attempts to work out "what does your name really mean?"

Information - Name - Name - Language - Gender

Information revealed included first name, last name, language, gender and birth date – all of which would remain accessible even after the app was disconnected from a Facebook...
(Excerpt) Read more at: www.theregister.co.uk
Wake Up To Breaking News!
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!