A Facebook quiz app may have exposed sensitive data of up to 120 million users, according to a security researcher.
Anyone could have accessed information including names, dates of birth, posts, pictures, statuses and friend lists, of users signed up to one of the quizzes circulated by Nametests.com, ethical hacker Inti De Ceukelaire said, Newsweek reported.
De Ceukelaire revealed on Thursday that the website retrieved and displayed the Facebook information on an external webpage that could be easily accessed.
Even once the user deleted the app, this information was still left exposed.
In a blogpost, De Ceukelaire detailed how he took one of the quizzes amid criticism that such apps were known for data harvesting.
He noticed that, while loading a test, the website would fetch his personal information and display it on the webpage.
"I was shocked to see that this data was publicly available to any third-party that requested it," he said. "In a normal situation, other websites would not be able to access this information."
He noted that advertisers could exploit this information to create targeted political ads based on a user's Facebook posts and friends.
"More explicit websites could have abused this flaw to blackmail their visitors, threatening to leak your sneaky search history to your friends," Ceukelaie wrote, outlining the hack in detail in a video posted to YouTube.
"I created a random website, not connected to the Facebook user visiting my page," he explained.
"Abusing a vulnerability in the popular quiz app nametests.com, I was able to identify who the visitor is, get their personal information, private photo's, status updates and friends."
The issue was reported to Facebook on April 22 and resolved in June, however, Newsweek noted that the flaw had existed since 2016.
Nametests.com meanwhile said there was "no evidence of abuse by a third party."
This comes amid growing concerns about Facebook's ability to protect personal data of its users.
Earlier this year Facebook Inc. shares posted their steepest drop since 2015 as U.S. and European officials demanded answers to reports that a political advertising firm retained information on millions of the social network’s users without their consent.
The social media platform has also been entangled in various other data leaks during the past few months.