Facebook is suing Andrey Gorbachov and Gleb Sluchevsky, of Ukraine, who worked for a company called Web Sun Group which developed malicious quiz apps that were used to harvest thousands of users’ profile data.
The firm says anyone who wanted to take the quizzes was asked to install browser extensions, which then lifted data ranging from names and profile pictures to private lists of friends. These installed about 63,000 times between 2016 and October 2018, it says.
The quizzes, with titles such as “What does your eye color say about you?” and “Do people love you for your intelligence or your beauty?”, gained access to this information via the Facebook Login system – which enables connections between third-party apps and Facebook profiles.
While the system is intended to verify that such connections are secure, in this case, Facebook says, users were falsely told the app would retrieve only a limited amount of public data from their profiles.
“In total, defendants compromised approximately 63,000 browsers used by Facebook users and caused over $75,000 [£58,000] in damages to Facebook,” the company said in court documents first published by online news site The Daily Beast.
The documents accuse the two men of breaking US laws against computer hacking as well as breaching Facebook’s own terms of use.
Andrew Dwyer, a cyber-security expert at the University of Oxford, said the court document suggested users who installed the browser extensions had “effectively opened up entry into their Facebook accounts”.