I treat my Facebook account like a little safe haven on the internet, meticulously pouring over whatever privacy settings I can to make sure that only trusted friends and family can see my things. Is it overly paranoid? Maybe, but, it's become increasingly apparent that nothing you do online will ever be deleted, so I like to keep as large of a wall around personal things as I can. Because of this, I absolutely hate giving games the OK to connect to my Facebook, and the depressingly popular QuizUp [Free] is the latest example of a game that leans heavily on Facebook to spread like a social virus… All while being shockingly careless with your personal data.

Developer Kyle Richter did some digging on what QuizUp is doing with your Facebook and local phone contact information. The full report can be read here, but the gist of it is the game is actively sending all of your personal data, in plain text, including your location, email address, and more. Additionally, once you give the game access to your contact list, all of your contacts are uploaded to QuizUp's servers.

Through my research into the way the app functioned it became apparent that they weren’t just exposing private information but were actively breaking numerous rules, policies, security best practices, and actively deceiving their users.

The lax security rabbit hole in QuizUp goes so much deeper it's incredible:

...in the case of QuizUp they actually send you other users’ personal information via plain-text(un-hashed); right to your iPhone or iPod touch. This information includes but isn’t limited to: full names, Facebook IDs, email addresses, pictures, genders, birthdays, and even location data for where the user currently is. I have been able to access the personal information of hundreds of people who I have never met, and had no interaction with other than we both used QuizUp. These people likewise had access to my personal information. It is important to keep in mind these were not people who added me as friends inside of the app, these were complete strangers in every sense.

It sounds like if you've used QuizUp, they've already captured all of your data, but you can be proactive about it not doing anything else in the future by deleting the app from your phone and heading to your Facebook app settings then revoking its rights to your Facebook data. This won't do anything to the data they already have, but, at least it'll stop new leaks.

This stuff is super gross, and a big reason why I never allow apps to touch my Facebook with rare exception… And if this creeps you out, I highly recommend doing the same.

UPDATE: We've been contacted by the developers who have said an update fixing this has been submitted to Apple already for approval and contact information was never actually stored on their servers, but, given these severe personal data security issues and totally ignoring common sense best practices, I'm not sure how much confidence that inspires.

  • Razoric

    I noticed my Game Center got spammed with people challenging me to QuizUp stuff too.

    • http://toucharcade.com Eli Hodapp

      These kind of games are the absolute worst. They're like a computer virus with a game front end. Super gross.

      • Razoric

        And I totally get what you are saying about Facebook. I try so hard to make that account somewhat safe from this garbage due to so many family and friends being on there. I'm constantly making sure it's locked down but stuff still seeps through...

    • Nate Heagy

      At least Game Center doesn't reveal your email address, real name, or location 🙂

  • defunct32

    I have allowed many games and apps to access my FB info, shoot! I'm not taking chances I'm removing all of 'em! Call me crazy paranoiac I don't care!

    • mr_bez

      Had a clearout myself. Most were things I deleted long ago but still had access. Down to one now (Game Center).
      On iOS, open Facebook and select More... Account Settings... Apps.

      • defunct32

        Crazy isn't it? I checked under "more settings" or something like that and wow, here are the things that were shared without my knowledge:


        All were ticked! I quickly unticked (is this a word?) them. :/

  • mclifford82

    All they said was an updated has been submitted? Nothing else? No explanation?

    Not that it matters, they're pretty much fucked after this stays up.

  • scrotally

    This is why I never have and never will join Facebook.

    • nini

      Very true, best way to keep your details safe on Facebook is not to use Facebook, it works with 100% certainty (barring identity theft).

    • pdSlooper

      Honestly, not a bad policy.

      I'm there because it's the only way I'd actually keep in contact with my family and friends (all out of state/country). But I do try to limit how much of my info I put on the site in the first place. It's imperfect, and FB keeps bugging me to fill out my profile...

    • Peter Wiggin

      Just don't post true or accurate info to your facebook page, problem solved. Facebook is an incredible medium for staying connected online. That's like saying I will never use the internet. Not that any of it matters since the NSA will just get your info regardless.

  • Nate Heagy

    This makes Game Center-based games even more appealing, IMO.

    For example: I'm loving Lords of Waterdeep, but to play online I had to create a Playdek account and give them my email address. I got a marketing email from them the very same day! Proves that even talented developers can misuse your personal data.

    • venasque

      Well if the developers used Game Center there would be no reason to sign up separately.

      • Nate Heagy


      • venasque

        Sorry. Misread your original post. But all good we're on the same page.

  • JetLinerSaw

    Haha, that's not near the last well see of this sort of thing. I mean it's not like our freedoms are being stripped from us one by one because everyone's too distracted with media and "entertainment". A little gaming is cool, everyone needs to cope somehow, but don't whine and complain when the politics you all don't pay attention to come back and slap you in the face. Woe is the modern working man, I guess. And don't even act like this doesn't stem from a bigger problem. WAKE UP KIDDIES /rant.

    • Pray For Death

      Uhh... what?

      • JetLinerSaw

        You either understand, or you don't. Move along.

    • nini

      Who're you calling kiddies, slick?

      • JetLinerSaw

        That's what you got out of that? << Need I continue?

      • nini

        Probably not, I understand you but I'm not going to side with you when you call me and anyone who read that diatribe "kid".

      • JetLinerSaw

        Call it whatever you want, it remains the truth. That's the only part of all this that still holds relevance.

  • Naraka

    I have the following and suggest you do as well.

    A gamer Facebook account separate from my personal one. It has no information and no friends.

    A gamer email account.

    If something forces me or entices me to use FB or an email I give them one of those.


    • Naraka

      On the rare occasion I want the emails (UniWar back in the day) it's easy enough to create a rule in gmail to have those messages auto forwarded to your real account so you don't have to check several accounts it you so choose.

    • NOEN

      That's what I did. I just created a "gamer email" and created a FB account with that. The only info I have in it is my gender I think and my name is my gamecenter name. So far it's worked out pretty well. I guess it's a lot of unnecessary work, but I think it took me a total of 10 mins to create.

    • LilMountain

      If it has no friends how would you play a game such as QuizUp with your friends?

  • companyemails

    Yet another example of an area in which Google+ simply trumps facebook.

    • Naraka

      lol except no one is on it and never had a game/app ask for my google+ data, but hey I got two accounts there as well just in case....

      • companyemails

        You might want to double check your facts, G+ is already the second largest social network there is both in terms of users and user engagement, second only to facebook, but growing at a faster rate (though granted much of that is being driven by Google connecting all their services together through G+ and Android).

      • Retero

        Because if you have a Gmail account then you have to have a Google+ Account

      • companyemails

        That's incorrect. Your Google+ account is set aside when you create a Gmail account, but it is not authorized or activated. You have to manually activate the Google+ account that goes with your Gmail address.

      • theryanlilo

        Hold up, + is nowhere near twitter or Facebook. Sorry that's a fact lol

    • nini

      Yeah, Google would never sell you to advertisers or data miners, no way. They'll do it themselves, why bother with the middle man?

      • companyemails

        Correction, Google does not sell your personal information to other companies. What they sell are profiles built around your uses and interests (derived from your uses of their products and services). They don't share or sell your personal identifying user information (something Facebook actually does do).

      • nini

        No but they make a nice wedge of cash off your identity, doesn't matter where it goes as you're the product they're selling to advertisers.

      • companyemails

        True, but that's not the issue being discussed. The article is regarding yet another Facebook leak of your actual personal information (as in name and other real specifics). You are right that both platforms use you as the product. My point is that the manner in which your personal data is handled, especially in relation to third parties, makes Google+ a more secure platform (and that's on top of the other real world benefits that you get from all the interconnectivity with Google's other apps, products and services - which no other social network provides).

  • miumius

    Well as an unwanted sidenote QuizUp is a surprisingly polished and well-done quiz game if playing with Facebook friends. With that said I'm glad they're gonna fix this; and to be careful people shouldn't be putting all their info on facebook.

    • miumius

      Oops. Re-read the article and noticed other info was sent too. Not good.

  • Adams Immersive

    "was never actually stored on their servers" ...but WAS actually sent to strangers. Isn't that worse? The existence of data on a server is not directly the concern... it's what might happen to that data, where it might be send, how it might be used, etc. Say, sharing it with strangers by the thousands!

    No app gets Facebook permission from me, I never leave Facebook logged into my browsers, and I use the FaceBook Blocker Mac Safari extension (since Facebook tracks people even when not logged in: all you have to do, apparently, is view a page that has a LIke button, even if you never click it).

    I treat Google similarly--although it's at least more useful to me!

  • jstein360

    It's not like the internet doesn't have all your information already. I'm not suggesting to be careless, or that business shouldn't take privacy of their clients/customers seriously, but we've all given out tons of private information over the years. And QuizUp is really fun.

    I'm going to take their response in good faith and believe that they are actually fixing whatever security flaws exist. (As an aside, I normally say no when asked for contact information and no to Facebook integration, so the game wasn't really spamming me anyway.)

  • Chris Brady

    Mr. Hodep, it doesn't matter what security options you use on Facebook, the NSA and everyone who needs it, has all your information.

    It's the reason that Facebook got in trouble with Canada's privacy laws.

    • JetLinerSaw


  • Jonathan Dawson

    This is terrible. I don't want strangers knowing my real name.

    • Jonathan Dawson

      Shouldn't there be some mention that Kyle Ritcher is the developer of a different, less popular quiz app?

    • miumius

      Okay Jonathan Dawson

  • cookiesEater

    Will Jonathan Dawson oops I spelled your real name^^

  • witedahlia

    From what I read in the Los Angeles Times a couple of months ago, Facebook actually wants to be able to know your real identity and be able to link all fake accounts to you. I don't have the article in front of me, but it pissed me off so much that it's burned into my memory. I don't know if this is something they can already do or if it's just a goal for the future. But if that is the case then unfortunately a separate gaming account won't help. A separate gaming account can't hurt in any case.

  • TripMX

    I never did like Facebook integration into my gaming. Now, alot of games are including a Facebook icon/widget/advertisement after you accomplish some BS feat...eg. "Share on FaceBook". It's bothersome and doesn't do any justice for the game's interface and/or environment. After leveling up, I don't give a rat's ass if anybody else can 'see' that.

  • Samuli Ulmanen

    Don't put secrets into the internet, stupid.

  • rewindx

    Oh wow! I'm pretty darn lucky I didn't connect to Facebook yet. The sad part is that the game is actually quite fun. Things like this just make me feel sick. Ok, heavy Facebook integration anywhere makes me feel sick, but that's beside the point.

    Thanks for the warning TA. I probably would've connected soon if I hadn't came across this.

  • Rivalsan

    Thanks for looking out for us, Eli! I played the game with one of my friends a couple times, and even encouraged some other friends to use it. However, after reading your article, I revoked its Facebook rights, and deleted the game from my device immediately.

  • chief78

    This is exactly why I don't allow Facebook (hell, I hardly use FB for anything anymore) on any of my games. Anything asking to access my contacts or my phone, insta-delete. This all seems predatory in nature with the devs only reprimand being that they were called out.There should be serious implications against devs like this....if only every content user agreement didn't waive all of our rights to be protected against identity theft etc....we can all thank Sony for that trend....

  • Bellina

    Facebook is a "safe haven'? It's anything but that, Facebook is now a business. No matter how much you tweak your privacy settings, they still see you as a customer.

  • oneironaut

    Wait what was that other thing that we used to use before this whole social media thing took hold? It did pretty much all the same stuff except without all the personal data theft, endless pages of pointless status updates, and a whole lot less stalking going on?.. Oh right, that's right, e-mail. Hell, I even seem to vaguely remember this other thing we used to have. I think they called it a telephone? U used to just bang in a few digits, hold it up to ur ear and u were away.

  • http://blog.sawilson.org/ Scott Wilson

    This is why a lot of us are switching to Google Plus. As ironic as it sounds, you have much better privacy.

  • xr280xr

    "Via plain text(un-hashed)" Hashed user information would never be sent. I think he means unencrypted, but this mistake doesn't inspire a lot of confidence in the research against QuizUp either.