Incident: Data Leak from Facebook Quizzes by Nametests.com Affects 120 Million.

Published Date: 2018-06-28

Postmortem Analysis
Timeline 1. The software failure incident involving the popular Facebook quizzes and Nametests.com exposing private data of up to 120 million people happened in April 2018 [Article 72681, Article 72746].
System 1. Nametests.com website's coding - The flaw in the Nametests.com website's coding allowed anyone to access the private data of users, even after the app was deleted [72681, 72746]. 2. Facebook's data protection measures - The incident highlighted a failure in Facebook's data protection measures, as the flaw was not due to Facebook's policies but rather the flawed coding on Nametests website [72746].
Responsible Organization 1. Nametests.com - The software failure incident was caused by a glitch in Nametests.com's website coding that allowed anyone to access the private data of users who took the Facebook quizzes offered by the app company [72681, 72746].
Impacted Organization 1. Facebook users - Up to 120 million people had their private data exposed due to the software failure incident involving Nametests.com quizzes [72681, 72746].
Software Causes 1. The software cause of the failure incident was a glitch in the coding of the Nametests.com website that allowed anyone to access and harvest the private data of users, even after they had deleted it from their Facebook profile [72681, 72746]. 2. The flaw was due to flawed coding on the Nametests website, which exposed personal information of more than 120 million people [72746].
Non-software Causes 1. Lack of proper data privacy measures on the Nametests.com website, allowing for unauthorized access to user data [72681, 72746] 2. Flawed coding on the Nametests website leading to the exposure of private user information [72746]
Impacts 1. The software failure incident involving Nametests.com exposed the private data of up to 120 million Facebook users, including names, date of births, posts, statuses, pictures, and friend lists, even after the apps were deleted [72681, 72746]. 2. The flaw allowed anyone to harvest the names, photos, friends lists, posts, and pictures of users who used the Nametests.com app [72681]. 3. The incident raised concerns about potential misuse of the leaked data, such as targeted political ads based on Facebook posts and friends, as well as the risk of blackmail by malicious websites [72681]. 4. The software failure incident highlighted Facebook's ongoing privacy issues and the challenges with third-party apps, adding to the fallout from the Cambridge Analytica scandal [72746]. 5. The bug existed since at least 2016, indicating a long-standing vulnerability that could have been exploited by hackers to access private information [72681]. 6. The incident led to Facebook working closely with Nametests.com to resolve the vulnerability on their website, which was fixed in June [72681, 72746]. 7. The security researcher who discovered the flaw reported it to Facebook through their Data Abuse Bounty Program, and Facebook rewarded him with a bug bounty of $4,000, which he requested to be donated to the Freedom of the Press Foundation [72746].
Preventions 1. Regular security audits and testing of the app's code to identify and fix vulnerabilities before they are exploited [72681, 72746]. 2. Implementing proper encryption and security measures to protect user data from unauthorized access [72681, 72746]. 3. Ensuring that third-party apps accessing user data adhere to strict privacy policies and security standards [72681, 72746]. 4. Promptly addressing and fixing reported bugs and vulnerabilities in the software [72681, 72746]. 5. Providing proper training and awareness to developers and staff on data security best practices [72681, 72746].
Fixes 1. Resolving the glitch in the Nametests.com website's coding that allowed unauthorized access to user data [72681, 72746] 2. Implementing proper encryption and security measures to protect user data on the Nametests.com website [72681, 72746] 3. Conducting thorough security audits and testing to identify and address vulnerabilities in the website's code [72681, 72746] 4. Regular monitoring and maintenance of the website to ensure ongoing security and privacy of user data [72681, 72746]
References 1. Facebook's Bug Bounty Program [72681, 72746] 2. Security researcher Inti De Ceukelaire [72681, 72746] 3. Nametests.com [72681, 72746] 4. Facebook's vice president of product partnerships, Ime Archibong [72681] 5. Social Sweethearts [72746] 6. Thomas Schwenke, Social Sweethearts' data protection officer [72746]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident related to the exposure of private data through Facebook quizzes happened again at the same organization, Nametests.com. The incident was a result of a glitch in the website's coding that allowed anyone to access users' private information even after they had deleted it from their Facebook profile. This flaw was discovered by cyber security researcher Inti De Ceukelaire, who found that the data of up to 120 million Facebook users was at risk [72681, 72746]. (b) There is no specific information in the provided articles about a similar incident happening at other organizations or with their products and services.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase is evident in the articles. The incident with Nametests.com exposing the private data of up to 120 million people was due to a glitch in the website's coding that allowed anyone to secretly access users' information even after they had deleted it from their Facebook profile. This flaw was a result of a glitch introduced during the system development of Nametests.com, which the company has since resolved [72681, 72746]. (b) The software failure incident related to the operation phase is also present in the articles. The flaw in the Nametests quiz app allowed anyone to pull up information on more than 120 million people, showcasing a failure in the operation or misuse of the system. The data was publicly available to anyone with the link, indicating a failure in the operational security measures of the app [72681, 72746].
Boundary (Internal/External) within_system (a) within_system: The software failure incident related to the Facebook quizzes exposed the private data of up to 120 million people due to a glitch in the Nametests.com website's coding. The flaw allowed anyone to secretly access users' information even after they had deleted it from their Facebook profile. This flaw was a result of a glitch within the system that Nametests.com has since resolved [72681, 72746].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the articles was primarily due to non-human actions. The incident was caused by a glitch in the coding of the Nametests.com website, which allowed anyone to access the private data of users even after they had deleted the app from their Facebook profile. This flaw was exploited by a security researcher who found that personal information was publicly available without encryption or security, and data could be accessed by any third-party that requested it [72681, 72746]. (b) However, human actions were also involved in the incident. The flaw in the coding of the Nametests.com website was a result of human actions during the development and maintenance of the app. The security researcher who discovered the vulnerability reported it to Facebook as part of their Data Abuse Bounty Program, which encourages reports involving Facebook data. Facebook then worked with Nametests.com developers to address and resolve the vulnerability on their website [72681, 72746].
Dimension (Hardware/Software) software (a) The software failure incident reported in the articles is primarily due to contributing factors that originate in software. The incident involved a flaw in the popular quiz app on Facebook called "Nametests" that allowed anyone to pull up information on more than 120 million people, even after the app was deleted. This flaw was attributed to flawed coding on the Nametests website, indicating a software-related issue [72681, 72746]. (b) The software failure incident is not attributed to hardware-related factors but rather to software-related factors as mentioned above.
Objective (Malicious/Non-malicious) malicious (a) The software failure incident related to the Facebook quizzes exposed the private data of up to 120 million people was malicious in nature. The incident was caused by a glitch in the Nametests.com website that allowed anyone to secretly access users' information, even after they had deleted it from their Facebook profile. A cyber security researcher discovered this flaw and created a malicious website to demonstrate how the data could be harvested. This incident was not accidental but a result of intentional exploitation of the vulnerability in the system [72681, 72746]. (b) The software failure incident was non-malicious in the sense that it was not caused by unintentional errors or faults in the system. Instead, it was a deliberate flaw in the coding of the Nametests.com website that exposed users' private data. The flaw was not due to accidental mistakes but was introduced with the intent to access and misuse personal information [72681, 72746].
Intent (Poor/Accidental Decisions) poor_decisions (a) poor_decisions: The software failure incident related to the Facebook quizzes exposed the private data of up to 120 million people due to poor decisions made by the app company Nametests.com. The incident was the result of a glitch in the website's coding that allowed anyone to secretly access users' information, even after they had deleted it from their Facebook profile. This flaw was exploited by a vigilante hacker who demonstrated how easy it was to harvest sensitive data using a malicious website [72681, 72746]. (b) accidental_decisions: The software failure incident related to the Facebook quizzes exposing private data was not due to accidental decisions or unintended mistakes. It was a deliberate flaw in the coding of the Nametests.com website that allowed unauthorized access to user information. The security researcher who discovered the flaw intentionally set up a website to demonstrate the vulnerability and how easily data could be accessed [72681, 72746].
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident related to development incompetence is evident in the articles. The incident involving the Nametests.com Facebook quizzes exposed the private data of up to 120 million people due to a glitch in the website's coding that allowed anyone to access users' information [72681, 72746]. This flaw was a result of a development oversight or lack of professional competence by the developers at Nametests.com, which led to the exposure of sensitive user data.
Duration temporary (a) The software failure incident related to the Facebook quizzes exposed by Nametests.com was temporary. The incident was due to a glitch in the website's coding that allowed anyone to access users' private data, even after they had deleted the app from their Facebook profile. The glitch was discovered by a security researcher, Inti De Ceukelaire, who reported it to Facebook as part of their Data Abuse Bounty Program. The issue was resolved by working with Nametests.com developers to fix the vulnerability on their website [72681, 72746].
Behaviour omission, value, other (a) crash: The software failure incident described in the articles does not involve a crash where the system loses state and does not perform any of its intended functions. (b) omission: The software failure incident involves an omission where the system omits to perform its intended functions at an instance(s). The flaw in the Nametests.com website allowed anyone to pull up information on more than 120 million people, even after the app was deleted, indicating an omission in protecting user data [Article 72746]. (c) timing: The software failure incident does not involve a timing issue where the system performs its intended functions correctly but too late or too early. (d) value: The software failure incident involves a value issue where the system performs its intended functions incorrectly. The flaw in the Nametests.com website allowed unauthorized access to personal data of users, including names, birth dates, posts, statuses, pictures, and friend lists, even after the apps were deleted [Article 72681]. (e) byzantine: The software failure incident does not involve a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions. (f) other: The other behavior observed in the software failure incident is a flaw in the coding of the Nametests.com website that allowed unauthorized access to user data, indicating a vulnerability in the system's security measures [Article 72746].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident involving the Facebook quizzes exposed the private data of up to 120 million people, including names, date of births, posts, statuses, pictures, and friend lists. This data was at risk of being accessed by unauthorized parties, potentially leading to misuse such as targeted advertising or blackmail. The flaw allowed for the harvesting of names, photos, friends lists, posts, and pictures of users who took the quizzes, indicating a significant impact on individuals' data privacy and security [72681, 72746].
Domain information (a) The software failure incident reported in the articles is related to the industry of information. The incident involved a popular Facebook quiz app called Nametests.com that exposed the private data of up to 120 million people, allowing anyone to harvest users' names, posts, and photos even after they had deleted the app from their Facebook profile [Article 72681, Article 72746]. This incident highlights the importance of data privacy and security in the information industry.

Sources

Back to List