Social Networks

Facebook sues quiz app developers who allegedly stole users’ private data through browser plugins

Facebook, seemingly perpetually fighting allegations that it doesn’t take enough care of the privacy and security of its billions of users, is taking a stand against a pair of Ukrainian app developers who it claims scraped personal information from users’ profiles.

In a lawsuit filed on Friday, the social networking giant accuses Gleb Sluchevsky and Andrey Gorbachov of promoting quizzes that ultimately tricked users into installing malicious browser extensions that scraped private information from their profile, and those of their friends.

The quizzes – which used Facebook’s login feature and had titles like “Do people love you for your intelligence or your beauty?”, “Do you have royal blood?”, and “Determine by photo, who is your famous ancestor!” – ended up taking users to third-party websites, and duped them into installing malicious browser extensions in the mistaken belief that they would receive horoscopes and revelations about their personality.

Specifically, the app developers are accused of harvesting users’ publicly viewable profile information (for instance, name, gender, age range, and profile picture) as well as their private (or non-publicly viewable) list of friends.

Users, however, were falsely told that the apps – with names such as “Supertest”, “FQuiz”, “Megatest”, and “Pechenka” – would only retrieve a limited amount of public information from profiles.

The browser extensions would then, according to Facebook, inject unauthorised ads into the browser session, appearing in affected users’ newsfeeds without their knowledge or Facebook’s authorisation.

According to Facebook’s lawsuit it wasn’t the only social networking site that was targeted by the defendants, and non-public information from other unnamed sites was also accessed and stored on remote servers in the Netherlands.

Facebook claims that the malicious browser plugins were installed approximately 63,000 times between 2016 and October 2018, and that Sluchevsky and Gorbachov broke US computer hacking laws as well as breaching the site’s terms of service.

The company says in its court filing that it suffered over $75,000 in damages investigating the incident. That’s obviously chicken feed for a company the size of Facebook, but what it values much more is its public image – especially after a spate of damaging headlines in recent years, sparked off by the Cambridge Analytica revelations.

You may recall that it was a quiz app called “This is your digital life” that was revealed to have harvested as many as 87 million Facebook profiles in the Cambridge Analytica case.

Whether you choose to be a Facebook user or not, always exercise great care over the links you click on and the third-party browser extensions you install. You could be granting malicious hackers a way of spying on your activities, meddling with your computer, or stealing your personal information.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment

Leave a Reply to ben Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • wtf??? Facebook suing? no doubt, we're living in an upside down world! like if FB wasn't 100% guilty :/
    people who got their data stolen (because of FB) greedy behavior should be the one who attack FB and CA.
    and if FB ask for compensation, it would be isnane