Seemingly innocent quizzes that popped up on Facebook were made solely for the purpose of gathering users’ profile data, according to the social media platform. Facebook said users who wanted to take the quizzes were asked to install browser extensions, which would then obtain a range of data such as names, profile pictures and even private lists of friends.
It was reported that these extensions were installed approximately 63,000 times between 2016 and October 2018, and that the scheme mainly targeted Russian-speaking victims.
Facebook is suing the Ukranian duo allegedly behind the quizzes – Andrey Gobrachov and Gleb Sluchevsky, both of whom worked for a company called Web Sun Group.
The quizzes in question, which included titles such as “What kind of person do people think you are?” and “What animal are you?” were ultimately able to gain access to this information via Facebook’s login system, which enables connections between third party apps and Facebook profiles.
The system is intended to verify that these connections are secure. However, Facebook says users were falsely told that the app would only collect a limited amount of data from their profiles.
“In total, defendants compromised approximately 63,000 browsers used by Facebook users and caused over $75,000 (£58,000) in damages to Facebook” the company claims in its complaint, published by online news site The Daily Beast.
The Daily Beast also reported that the pair had aliases to support the scheme, including Elena Stelmah, Amanda Pitt and Igor Kolomiiets, after Facebook kicked them off the platform and got their malware banned from browser app stores.
In a statement, the company said: “Today Facebook filed a complaint against two developers based in the Ukraine for violations of our policies and other US laws by operating malicious browser extensions designed to scrape Facebook and other social networking sites. By filing the complaint, we hope to reinforce that this kind of fraudulent activity is not tolerated on our services, and we will act forcefully to protect the integrity of our platform”
Cyber-security expert Andrew Dwyer from the University of Oxford told BBC News that the document implied users who installed the browser extensions had “effectively opened up entry into their Facebook accounts.”
He also added that Facebook’s current verification procedures would have trouble recognising this kind of malicious activity before allowing the apps to access users’ profiles.
“Fundamentally, this shows the failures of the app ecosystem – where there was little verification of what apps were doing,” he said.
“As the [alleged] malicious activity was outside the app, the typical review process of verifying the app may not have caught this activity.”
So, what we should understand from this is simple – if you come across a quiz from a third party apps on Facebook that ask for permission to install extensions, leave it immediately. It’s not worth risking your own personal data just to find out what sandwich you actually are, and what that “truly” says about you, now is it?
Story by Emily Clark
Featured Photo Credit: MercuryNews