[(Title)] Quiz app on Facebook accidentally exposes data of 120M users

A quiz app on Facebook that can tell you which Disney princess you are has also been leaking the personal information of its 120 million users.

Facebook上的一个测试应用程序，它不但可以告诉你是迪斯尼的哪位公主，也能泄露你的个人信息，有1.2亿用户中招。

The quiz app from Nametests.com was apparently storing the personal information of its users in a rather careless way; the data was circulating through a public Javascript file that other websites could theoretically access.

来自Namesuppings.com的测试应用程序显然相当粗心大意地储存了用户的个人信息；这些数据通过一个公共Javascrit文件流传，而其他网站在理论上可以查阅。

"I was shocked to see that this data was publicly available to any third-party that requested it," said Inti De Ceukelaire, the Belgian security researcher who discovered the data leak.

比利时安全研究员Inti De Ceukelaire发现数据泄漏说：“我震惊地看到任何第三方都可以公开得到这些数据。

On Wednesday, he published a blog post, describing how the Javascript file might endanger the privacy of Nametests.com users. A third-party website could potentially exploit the Javascript file to see when incoming visitors have a Facebook profile.

周三，他发表了一个博客文章，描述Javascrit文件可能危及Name测试网站的隐私。第三方网站可能会利用Javascrit文件查看新来访问者何时拥有Facebook配置文件。

If the visitors do, the website could harvest details of the Facebook profiles, including name, age, birth date and gender.

如果访问者这样做，该网站可以收集Facebook概况的详细信息，包括姓名、年龄、出生日期和性别。

De Ceukelaire demoed the threat by creating his own website that can fetch data from the quiz app's Javascript file.

De Ceukelaire创建自己的网站来获取来自测试应用程序Javascrit文件的数据，以此来化解这一威胁。

Any users of the quiz app who visited his website would not only get their Facebook data harvested, but also their photos and friend's list too.

任何访问他的网站的用户都会得到他们的Facebook数据采集，还有他们的照片和朋友的名单。

"It would only take one visit to our website to gain access to someone's personal information for up to two months," he wrote in his blog post.

他在博客文章中写道：“访问我们的网站需两个月的时间才能获得某人的个人信息。

"I would imagine you wouldn't want any website to know who you are, let alone steal your information or photos."

“我设想，你不希望任何网站知道你是谁，更不用说偷你的信息或照片。”

The incident was discovered as Facebook is still facing some blowback from the Cambridge Analytica scandal, which involved a separate personality testing app.

该事件被发现是，Facebook仍面临来自剑桥分析丑闻的一些反弹，该丑闻涉及一个单独的个性测试应用程序。

In that case, the app deliberately exploited Facebook's data practices to harvest people's personal information for political ad targeting purposes. As many as 87 million users may have been affected.

在上述案例中，该应用程序故意利用Facebook的数据来收集人们的个人信息，以获取政治广告目标，多达8700万用户可能受到影响。

The data leak involving Nametest.com doesn't appear to be deliberate. De Ceukelaire speculates that the flaw may have stemmed from a "rookie programming mistake." Nevertheless, the data exposure has been going on since at least the end of 2016.

与Nameplex.com相关的数据泄漏似乎并不是故意的，De Ceukelaire推测，缺陷可能是由“新人编程错误”造成的。

De Ceukelaire reported the problem to the Facebook in April through the company's new bug bounty program, which was introduced in response to the Cambridge Analytica scandal.

德塞凯拉雷4月通过公司的新BUG奖励计划向Facebook报告了这一问题，该方案是应对剑桥分析丑闻而推出的。

"This is exactly why we launched our Data Abuse Bounty Program in April: to reward people for reporting potential problems," Facebook said in a public post about the flaw, which the company helped to fix.

Facebook在一张公共帖子中说：“这正是我们4月份推出数据BUG奖励计划计划的原因：奖励举报潜在问题的人。

"To be on the safe side, we revoked the access tokens for everyone on Facebook who has signed up to use this app. So people will need to re-authorize the app in order to continue using it," Facebook added.

Facebook补充道：“为了安全起见，我们撤销了已签署使用该应用程序的所有人的访问标识，因此人们需要重新授权该应用程序，以便继续使用。

The developers behind Nametests.com, Social Sweethearts, said it's also found no evidence that bad actors ever abused the flaw.

Nametests.com背后的开发者社交甜心表示，也没有发现有人曾恶意滥用这个漏洞的证据。

However, De Ceukelaire said the whole incident raises serious questions over how Social Sweethearts is handling the data of its users.

然而，De Ceukelaire表示，整个事件引发了关于社交甜心如何处理其用户数据的严重问题。

He also noted that it took Facebook over two months before it finished its investigation and finally patched the flaw. During that time the quiz apps from Nametests.com were still up and running.

他还指出，在Facebook完成调查之前用了两个多月时间，最后修补了这个缺陷，在那期间，Namecourts.com测试应用程序仍在运行中。

"I am glad both Facebook and NameTests cooperated and resolved the issue," he said in his blog post. "On the other hand, we cannot accept that the information of hundreds of millions of users could have been leaked out so easily.

“我很高兴Facebook和NameTests合作并解决了这个问题，”他在博客上的文章中说，“另一方面，我们不能接受亿万用户的信息很容易泄露出来。

We can and must do better."

我们能够而且必须做得更好 。 ”

To protect yourself, De Ceukelaire recommends that you delete any apps from Facebook that you're no longer using.

为了保护自己，De Ceukelaire建议从Facebook上删除任何不再使用的应用程序。