I treat my Facebook account like a little safe haven on the internet, meticulously pouring over whatever privacy settings I can to make sure that only trusted friends and family can see my things. Is it overly paranoid? Maybe, but, it’s become increasingly apparent that nothing you do online will ever be deleted, so I like to keep as large of a wall around personal things as I can. Because of this, I absolutely hate giving games the OK to connect to my Facebook, and the depressingly popular QuizUp (Free) is the latest example of a game that leans heavily on Facebook to spread like a social virus… All while being shockingly careless with your personal data.
Developer Kyle Richter did some digging on what QuizUp is doing with your Facebook and local phone contact information. The full report can be read here, but the gist of it is the game is actively sending all of your personal data, in plain text, including your location, email address, and more. Additionally, once you give the game access to your contact list, all of your contacts are uploaded to QuizUp’s servers.
Through my research into the way the app functioned it became apparent that they weren’t just exposing private information but were actively breaking numerous rules, policies, security best practices, and actively deceiving their users.
The lax security rabbit hole in QuizUp goes so much deeper it’s incredible:
…in the case of QuizUp they actually send you other users’ personal information via plain-text(un-hashed); right to your iPhone or iPod touch. This information includes but isn’t limited to: full names, Facebook IDs, email addresses, pictures, genders, birthdays, and even location data for where the user currently is. I have been able to access the personal information of hundreds of people who I have never met, and had no interaction with other than we both used QuizUp. These people likewise had access to my personal information. It is important to keep in mind these were not people who added me as friends inside of the app, these were complete strangers in every sense.
It sounds like if you’ve used QuizUp, they’ve already captured all of your data, but you can be proactive about it not doing anything else in the future by deleting the app from your phone and heading to your Facebook app settings then revoking its rights to your Facebook data. This won’t do anything to the data they already have, but, at least it’ll stop new leaks.
This stuff is super gross, and a big reason why I never allow apps to touch my Facebook with rare exception… And if this creeps you out, I highly recommend doing the same.
UPDATE: We’ve been contacted by the developers who have said an update fixing this has been submitted to Apple already for approval and contact information was never actually stored on their servers, but, given these severe personal data security issues and totally ignoring common sense best practices, I’m not sure how much confidence that inspires.