Facebook has announced it is suing Andrey Gorbachov and Gleb Sluchevsky, of Ukraine, who worked for a company called Web Sun Group, which generated meaningless quizzes that in fact stole data and information from the people who took them.
The quizzes, with titles such as “Who is your first, last, and the only love?” and “Who is your doppelganger from the past?”, gained access to this information via the Facebook Login system – which enables connections between third-party apps and Facebook profiles.
While the system is intended to verify that such connections are secure, in this case, Facebook says, users were falsely told the app would retrieve only a limited amount of public data from their profiles.
“In total, defendants compromised approximately 63,000 browsers used by Facebook users and caused over $75,000 [R1,050,000] in damages to Facebook,” the company said in court documents.
The company was granted access to people’s information when they downloaded and installed a browser extension the quiz claimed was necessary to see the result. This extension then lifted data ranging from names and profile pictures to private lists of friends, photos, relationship status, and even email addresses and phone numbers.
Andrew Dwyer, a cyber-security expert at the University of Oxford, said Facebook’s existing verification procedures would have struggled to recognise this kind of malicious activity before allowing the apps access to users’ profiles.
“Fundamentally, this shows the failures of the app ecosystem – where there was little verification of what apps were doing,” he told BBC News.
“As the [alleged] malicious activity was outside of the app, the typical review process of verifying the app may not have caught this activity.”