Facebook and Twitter users expose personal data to Third Party Apps

It seems like the cases of the data breach are on an all-time high. Just recently, Facebook and Twitter informed their users about a breach in their profile data that could have been accessed by third-party apps.

These third-party apps or malicious apps, as you may like to call them, included One Audience and Mobiburn software development kits (SDK). It is estimated that they got a reach to their users’ profile information. They could have got a hold over users’ email addresses and usernames. They might as well have accessed their recent tweets.

In a blog post published on Monday, Twitter had to say the following in simplified details to its enormous user base: We recently received a report about a malicious mobile software development kit (SDK) maintained by one Audience. We are informing you about this today because we believe we have a responsibility to inform you of incidents that may impact the safety of your personal data or Twitter account.

It has now come to light that the third-party apps, namely One Audience and Mobiburn, had been paying and giving out information to further malicious app developer kits, which are known as SDKs or Software Developer Kits. This was done via the many apps present and working in popular app stores, like Google’s Playstore and other third-party app stores.

The breach of data and, therefore, privacy is a serious issue, and both the platforms are extremely cautious and strict about it. When reached to Facebook, here is what a Facebook spokesperson chose to put forth as a statement regarding the whole episode:

“Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores. After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn.
We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts.”

Twitter further mentioned that they have already informed Google and Apple for their popular app stores regarding the malicious SD Kits so they could take further actions if requirement be. Twitter further mentioned in its blog how the breach could have impacted over a hundred users, who might have installed the apps mentioned above and allowed those to save their details like email and name. It was because of the third-party security researchers that both the companies, Facebook and Twitter, got to know about this probable security breach.

“Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK.”
“…we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS.”

Right now, it appears as if this episode has impacted only Android users. It so maybe, that Google play store was the one to host and support the third-party apps which the users download. It is not quite clear at the moment if the breach has hurt iPhone users and other Apple device users too.

This new break into users’ privacy comes just days after Facebook took to its users, informing them about the leakage of data that probably was accessed by over 100 developers. This was the one involving the group and the member details. The matter concerned ‘retaining of access’ to group member’s information by exploiting group API or Application Programming Interface.

In what seemed as the app developers having access to group members’ names, profile pictures, and group activity, the disclosure created quite a stir. Although the group feature had long been discontinued, those apps managed to retain the details, according to the info that came to light.

Facebook had further included a possibility of having at least 11 of the partners accessing group member info in the last 60 days. The third-party apps primarily included those into social media management. And among others, there were video streaming apps also.

Both Facebook and Twitter would be notifying their users about the issue at hand and advise them to delete any malicious app, which also includes all those apps they might have installed from a third-party app store.

We will be directly notifying people who use Twitter for Android who may have been impacted by this issue. There is nothing for you to do at this time, but if you think you may have downloaded a malicious application from a third-party app store, we recommend you delete it immediately.

While Twitter took to their blog in a defensive undertone, claiming that the issue of the day had not been caused due to any vulnerability in Twitter’s own software. On the contrary, the lack of separation between SDKs (software development kits) within the software or app was the actual culprit.

Although any number of information could have been exposed, Facebook maintained that the extent of the breach of privacy largely depended upon the app permissions that users could have agreed to. This also takes into account the information they willingly entered.

Leave a Comment

Your email address will not be published.