Facebook says that underhand data harvesting tactics have been employed by quiz apps, compromising the privacy of thousands of the social media platform’s users.
Malicious quiz apps were allegedly created to encourage user participation and lift profile data. Any account holders who wanted to take part in the quizzes were prompted towards the installation of a browser extension, which then took user details, such as names and profile pictures, without the original user’s knowledge.
Such programmes were installed around 63,000 times in a period between 2016 and 2018, Facebook claims. Legal cases have now been opened against two cyber programmers, Andrey Gorbachov and Gleb Sluchevsky, both employees of an organisation known as Web Sun Group.
The quizzes were diverse in nature, but generally targeted populist themes such as “What do the lines on your palm say about you?” and “Does your music taste match your star sign?”
Once installed, such apps were able to get into user accounts via the Facebook login system, which facilitates links between third party software and account profiles.
The system is in place to attest to the security of any third-party apps installed, but in the case of the Web Sun Group employees, the social network was lied to about the amount of data that the apps would lift from user profiles.
As written in court documents that were published on news website, The Daily Beast, the defendants “compromised approximately 63,000 browsers used by Facebook users and caused over $75,000 (£58,000) in damages to Facebook.”
Speaking to the BBC news website, cyber-security expert Andrew Dwyer said that the court literature implied that those who had installed the malicious apps had “effectively opened up entry into their Facebook accounts.
“Facebook’s existing verification procedures would have struggled to recognise this kind of malicious activity before allowing the apps access to users’ profiles. Fundamentally, this shows the failures of the app ecosystem – where there was little verification of what apps were doing,” he said.
“As the [alleged] malicious activity was outside of the app, the typical review process of verifying the app may not have caught this activity, Mr Dwyer added.