2 min read

Facebook sues quiz app developers who allegedly stole users' private data through browser plugins


March 11, 2019

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Facebook sues quiz app developers who allegedly stole users' private data through browser plugins

Facebook, seemingly perpetually fighting allegations that it doesn’t take enough care of the privacy and security of its billions of users, is taking a stand against a pair of Ukrainian app developers who it claims scraped personal information from users’ profiles.

In a lawsuit filed on Friday, the social networking giant accuses Gleb Sluchevsky and Andrey Gorbachov of promoting quizzes that ultimately tricked users into installing malicious browser extensions that scraped private information from their profile, and those of their friends.

The quizzes – which used Facebook’s login feature and had titles like “Do people love you for your intelligence or your beauty?”, “Do you have royal blood?”, and “Determine by photo, who is your famous ancestor!” – ended up taking users to third-party websites, and duped them into installing malicious browser extensions in the mistaken belief that they would receive horoscopes and revelations about their personality.

Specifically, the app developers are accused of harvesting users’ publicly viewable profile information (for instance, name, gender, age range, and profile picture) as well as their private (or non-publicly viewable) list of friends.

Users, however, were falsely told that the apps – with names such as “Supertest”, “FQuiz”, “Megatest”, and “Pechenka” – would only retrieve a limited amount of public information from profiles.

The browser extensions would then, according to Facebook, inject unauthorised ads into the browser session, appearing in affected users’ newsfeeds without their knowledge or Facebook’s authorisation.

According to Facebook’s lawsuit it wasn’t the only social networking site that was targeted by the defendants, and non-public information from other unnamed sites was also accessed and stored on remote servers in the Netherlands.

Facebook claims that the malicious browser plugins were installed approximately 63,000 times between 2016 and October 2018, and that Sluchevsky and Gorbachov broke US computer hacking laws as well as breaching the site’s terms of service.

The company says in its court filing that it suffered over $75,000 in damages investigating the incident. That’s obviously chicken feed for a company the size of Facebook, but what it values much more is its public image – especially after a spate of damaging headlines in recent years, sparked off by the Cambridge Analytica revelations.

You may recall that it was a quiz app called “This is your digital life” that was revealed to have harvested as many as 87 million Facebook profiles in the Cambridge Analytica case.

Whether you choose to be a Facebook user or not, always exercise great care over the links you click on and the third-party browser extensions you install. You could be granting malicious hackers a way of spying on your activities, meddling with your computer, or stealing your personal information.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like