Facebook on Friday sued two Ukrainian men, Andrey Gorbachov and Gleb Sluchevsky, for allegedly scraping private user data through malicious browser extensions that masqueraded as quizzes.
The company also alleges that the deceptive extensions injected unauthorized ads into Facebook users’ News Feeds when their victims visited through the compromised browsers.
From Facebook’s civil complaint:
As a result of installing the malicious extensions, the app users effectively compromised their own browsers because, unbeknownst to the app users, the malicious extensions were designed to scrape information and inject unauthorized advertisements when the app users visited Facebook or other social networking site as part of their online browsing.
According to the complaint, from 2016 to 2018, Sluchevsky and Gorbachov allegedly ran at least four web apps: “Supertest,” “FQuiz,” “Megatest,” and “Pechenka.”
The apps ran quizzes promising answers to questions such as “Do you have royal blood?, “You are yin. Who is your yang?” and “What kind of dog are you according to your zodiac sign?” among many others.
The apps were advertised and shared on Facebook, but they were available on public websites associated with several domains, including megatest.online, supertest.name, testsuper.su, testsuper.net, fquiz.com, and funnytest.pro.
Both of the defendants are based out of Kiev and work for a company called the Web Sun Group. Sluchevsky presents himself as the company’s founder.
Scraped social profiles
Facebook says that their extensions enabled the two to illegally scrape users’ publicly viewable profile information, such as name, gender, age range, and profile picture, when infected users visited social networking sites – including Facebook.
Facebook didn’t name the other social networking sites that the apps allegedly scraped.
It did say, however, that the alleged scraping is akin to illegally trespassing on its own servers:
Defendants used the compromised app users as a proxy to access Facebook computers without authorization.
The apps also allegedly got at private information such as Facebook users’ friend lists.
Facebook discovered and shut down the malicious apps while investigating malicious extensions in 2018. The company says that the two men compromised the browsers of approximately 63,000 Facebook users and caused the company over $75,000 in damages.
The platform is seeking an injunction and restraining order against the two developers, to keep them from creating any more apps targeting Facebook users.
Facebook is also requesting financial relief for the costs of investigating the defendants’ operation and restitution of any funds the two might have made off the use of Facebook users’ data.