One Facebook app, NameTests quiz, misprocessed the data of its users. The program was used to host quizzes, which are popular within this social network. Let the fact that the personal data of 120 million users was accessible to almost any Internet user speak for the scale of the problem.
You know the NameTests address – you see the data
As it turned out, it was enough to enter http://nametests.com/appconfig_user into a browser for such data as the name, family name, date of birth and photos of the quiz participant to be displayed. These results were returned by a Java script. This, in turn, enabled downloading data from other web servers.
Such access was possible even 2 months after the application’s removal. Reason – this was the validity period for the token downloaded with other data, as specified by the author.
Fortunately for NameTests users, the vulnerability in question has already been removed.
Source: Medium.com
—
Do you need cybersecurity solutions for your company – contact us.
