Facebook and Twitter have announced that the personal data of hundreds of users may have been “improperly accessed” after using their accounts to log into certain Android apps downloaded from the Google Play store.
On Monday, Twitter announced in a blog post that it received a report about a malicious mobile software development kit (SDK), maintained by OneAudience, that could be embedded within a mobile application and potentially exploit a vulnerability allowing personal information to be accessed.
“This issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application,” Twitter explained. This means that if users installed a mobile app onto their device and utilised the Login with Twitter feature to log into that app – the SDK present in the app harvested information about that Twitter profile.
The collected information included email, username and last tweet.
Twitter added that Android users were impacted, but there was no evidence to show that the iOS version of this malicious SDK targeted people who use Twitter for iOS.
“There is nothing for you to do at this time, but if you think you may have downloaded a malicious application from a third-party app store, we recommend you delete it immediately.”
Facebook users were also impacted by the OneAudience SDK, as well as the MobiBurn SDK. To which both were “paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores,” said a Facebook spokesperson in a statement to CNBC.
Facebook has confirmed that the apps have been removed from the platform for violating their platform policies, and cease and desist letters against OneAudience and MobiBurn have been issued.
“We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts,” said Facebook.
On Monday, OneAudience released a statement announcing that it will be shutting down its SDK: “This data was never intended to be collected, never added to our database and never used.”
MobiBurn also released a statement, claiming that it had not “collected, shared or monetised” any data from Facebook.
“Mobiburn only facilitates the process by introducing mobile application developers to the data monetization companies,” Mobiburn said.
Both OneAudience and MobiBurn have ceased all activities.
The post #Privacy: Facebook and Twitter user data exposed due to malicious Android SDKs appeared first on PrivSec Report.