Facebook has sued two Ukrainian men that it says used quiz apps and malicious browser extensions to scoop up private data from 63,000 platform users, and then use that data for advertising purposes.
A lawsuit filed Friday by Facebook alleged that the two men, Gleb Sluchevsky and Andrey Gorbachov, deceived users into installing malicious browser extensions after downloading their malicious apps, which used the “login with Facebook” feature.
“Defendants created fake developer accounts on Facebook using knowingly false information in violation of Facebook’s TOS [terms of service], Community Standards and related policies,” according to the lawsuit. “As a result of the false information, defendants gained access to Facebook as a developer.”
The apps and browser extensions would then scrape personal data from users’ social-media profiles, and the extensions would inject targeted advertisements when the app users visited different social-networking sites, including Facebook.
In total, the two compromised approximately 63,000 Facebook users and caused over $75,000 in damages to Facebook, according to the lawsuit. Facebook did not immediately respond to a request for comment from Threatpost.
The incident, which comes almost a year after Facebook’s Cambridge Analytica scandal came to light, is yet another layer to the social-media platform’s ongoing privacy crisis as it struggles to define its future.
The Scheme
Between 2016 and 2018, Facebook alleges that the two men collected data by convincing platform users to download at least four applications that purported to be horoscopes and character tests.
The tests, “Supertest,” “FQuiz,” “Megatest” and “Pechenka,” were available on publicly accessible websites unaffiliated with Facebook, and targeted Russian and Ukrainian speakers.
However, the applications used the “login with Facebook” feature to allow users to sign in — it’s a function that allows users to avoid creating brand-new accounts for certain apps. When a user “logs in wit Facebook,” they’re alerted that by doing so, they allow the app to access public profile information. The malicious apps in this case were thus actually designed to scrape the app users’ public profiles on Facebook.
The apps also eventually prompted users to install malicious extensions that manipulated users’ browsers; these collected a raft of private and public social-media data information when a user visited the Facebook site. Together, the apps and the extensions collected information including names, gender, age range, profile pictures and lists of friends.
Using this information, the extensions then served up targeted ads to the victims, according to the lawsuit.
How were the two Ukrainians able to sneak their malicious extensions onto Facebook’s platform? According to the lawsuit, it seemed surprisingly easy – simply lying when asked to agree electronically to Facebook’s compliance policies.
Everyone who uses Facebook must electronically agree to Facebook’s terms of service, which require Facebook users to “provide accurate information about their identity and prohibits deceptive, misleading and unlawful conduct.”
Furthermore, Facebook’s Community Standards and Platform Policy sections requires that third-party developers don’t “confuse, deceive, defraud, mislead, spam or surprise anyone.”
Cambridge Analytica: A Year Later
The lawsuit comes about a year after Facebook faced backlash in March 2018 for disclosing that third-party Facebook app Cambridge Analytica had harvested data of 87 million unknowing users.
Similar to this most recent case, during the Cambridge Analytica incident an app developer violated the company’s platform policies by collecting data via an app under the pretense of using it for psychological research – and instead passing users’ personal information to Cambridge Analytica.
The Cambridge Analytica case set off a wave of distrust around Facebook and its platform, while other privacy issues continued to plague the social-media giant throughout 2018.
Despite the backlash, Facebook is trying to rebound: Last week, Facebook CEO Mark Zuckerberg announced a new “privacy-focused vision for social networking,” which would have the platform rely on private messaging in the year ahead.
“As I think about the future of the internet, I believe a privacy-focused communications platform will become even more important than today’s open platforms,” he said. “Privacy gives people the freedom to be themselves and connect more naturally, which is why we build social networks.”