What About Those Stupid Facebook Quizzes?

A friend of mine, concerned about privacy issues, just posed an excellent question… she asked me, “Mike, what about those stupid quizzes on Facebook – should I be concerned about taking those?”
If you care at all about your privacy, and much more important – if you are concerned about the privacy of any of your friends, you may want to continue reading this post. When I conclude, I will give you some tips for locking down your information on Facebook (as far as quizzes are concerned). And protect your friends as well.
As you know, each of you has a profile on Facebook. This includes things like where you went to school, your profession, where you live, your telephone number and email address, religious preference, sexual orientation, relationship status, and a plethora of other information. This information is the currency for advertisers and “data brokers”, companies that harvest information and sell it. This is a very lucrative business. The more a company knows about you, the better it can target ads. OK, so maybe that isn’t a big deal. So what is the problem with quizzes?
When you take one of those “stupid” quizzes on Facebook, such as – “what superhero are you most like?”, it prompts you with a notification that warns you about collecting your profile data. If you have taken one of these quizzes, you know exactly what I’m talking about. You might be thinking that the program behind a lot of these uses some sophisticated algorithm to come up with an answer. Wrong. The code for these are usually a joke, and they basically either randomly select an answer, or use some basic logic to come up with something that makes you feel good.
The issue is when you hit the “I agree” button, all of your profile information is gathered into a data blob and sent across the wire to the quiz provider. So you might be thinking, “this is not my problem – I would never take one of these quizzes”. Well guess what? If any of your friends like to take these quizzes, your data can be sent as well. Yes, that’s right – your data. Using something called a Graph API, a quiz provider can use code to link to all of the friends of whoever takes the quiz, and suck in all of their profile data as well. This “metadata” can then be used in a phishing scam.
For example, let’s say I wanted to come up with a scam that sends an email to every single person who “likes” Bank of America in order to steal their profile information and then bank accounts. I want to give a quiz in an attempt to suck in their information, at which point I will send them a false email from the bank. Before I do this, I will set up a fake web site called Bank of America, and I will use a couple of tricks in order to lure them to the site. In other words, I will perform what is called a “man in the middle attack”. In the simplest terms, when they navigate to the bank’s web site, instead of going to the real bank, I will redirect them to my fake web site, which will be used to collect their account information and password.
In order to do this, I will put up a fake quiz on Facebook, which any person in the world can do. When they click on the “accept” button, the prompt telling them I am going to collect certain information but not post on Facebook, it will also suck in all the profile information of every single one of their friends. Then, I will write a program that searches everyone who likes Bank of America. Since I now have the email address of the person, I will send them a fake email that seems like it has come from the bank, but does not. At the bottom of the email will be an address that is not correct but looks real. When they click on the link, instead of going to the real bank, it will come to my site. It will then ask them for their credit card and password.
Instead of using this information myself, for which I may be caught, I will simply jump on the Deep Web, where there exists a plethora of people just eager to buy this information, and for a very good price. I will then delete the site, delete any trace of our interaction, remove the quiz from Facebook, and vanish – with a bunch of cash.
Below is a screen shot from my security settings in Facebook. Unfortunately, this screen is not so simple to find. Facebook wants it this way even though they say they don’t. They make money from advertisers because of these quizzes. So what can you do?
In order to get to this screen, and stop sharing all of your confidential data, go to “Security -> Apps -> Apps Others Use”. Here you will find a list of boxes that have checks next to each piece of profile information.
Long story short – remove the check next to every single one of these, and please – don’t take any of those stupid quizzes.