From the past few months Facebook facing a security threat on protecting Users data.The last report where it was revealed that a quiz app sold user data to a political firm. And now a different quiz app is getting some heat. A researcher discovered that a third-party app called NameTests left the data of 120 million Facebook users exposed to anyone who happened to find it. This put questions on facebook security system.

As Facebook privacy scandal kicked off it’s in March when it was revealed that a data firm hired by Donald Trump’s presidential campaign, Cambridge Analytica, had illicitly purchased Facebook user data from a professor running a novelty quiz app called “thisisyourdigitallife.”But Facebook knew about the violation but didn’t take any preventive measures for some years.

However, CEO Mark Zuckerberg started getting hauled in front of lawmakers and investors got nervous, Facebook rolled out changes—some big, some small. An audit of third-party apps resulted in the suspension of around 200 apps in May. But it appears there could be plenty more problems waiting out there as demonstrated by ethical hacker Inti De Ceukelaire’s discovery of the NameTests security flaw.

On Wednesday, De Ceukelaire described the process of reporting a flaw in the quiz app’s website to Facebook’s Data Abuse Bounty program. Since he had never personally tried a quiz app on Facebook, De Ceukelaire started looking at the apps his friends were using on the social media platform. He then decided to take his first quiz on NameTests app and trace how his data was being handled.

During his tracing, he found how his data das being handled, he noticed that NameTest’s website was fetching his information from the URL “http://nametests.com/appconfig_user.” His personal data was held in a JavaScript file that could easily be requested by any website that knew to ask.

The website running the quiz app was also found providing an access token that would allow any website to continue to access information regarding a user including their posts, photos and friends for up to two months.

Ceukelaire also discovered that his personal information, along with that of every other person who had taken the quiz, was being held in a JaveScript file that could easily be requested by any website that knew to ask, points out Medium.

The Facebook didn’t respond to the issue immediately after the issue is reported. De Ceukelaire says he reported the issue on April 22, and eight days later, Facebook responded that it was looking into it. On May 14, he checked in to see if Facebook had contacted the NameTest developers.T he social media giant replied eight days later that it could potentially take three to six months to go through an investigation.

On June 25, De Ceukelaire noticed that NameTest had fixed the issue. After contacting Facebook, it acknowledged the fix and agreed to donate $8,000 to the Freedom of the Press Foundation as part of its reward for the bounty. So according to De Ceukelaire, Facebook took at least a month to fix the problem, and it had to be hunted down to fulfill its bounty promise.

But this would be very strange that a social media giant which holds 2.2 billion users data would give this sort of slow response with its bounty program.