Some third-party apps quietly scraped personal information from people’s accounts from Twitter and Facebook, the social media companies claim.
Facebook and Twitter revealed that some third-party apps quietly scraped personal information from people’s accounts without their consent.
According to the company, the cause of behavior that violates their policies is a couple of “malicious” software development kits (SDKs) used by the third-party iOS and Android apps.
The SDK was designed to display ads, experts noticed that once users of the social networks were logged into either service using one of these applications, the SDK silently accessed their profiles to collect information.
The apps that includes the SDK code are able to collect user names, email addresses, and Tweets via unspecified Android apps.
The malicious SDK was developed by the marketing firm OneAudience and Twitter already informed its customers of the unauthorized activity.
“We recently received a report about a malicious mobile software development kit (SDK) maintained by oneAudience.” reads the advisory published by Twitter. ” This issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application. Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK.”
Even if Twitter experts have no evidence to suggest that this was used to take control of a Twitter account, they don’t exclude that it is possible that an attacker could use the SDK to do it.
Twitter is aware that the malicious SDK was used to access personal data for at least some Twitter account using Android devices, while it has no evidence that the iOS version of this malicious SDK was used in the same way.
Twitter reported the incident to both Google and Apple, and other industry partners, and is calling for action to block the malicious SDK and apps that include its code.
Facebook announced that it has identified at least other two SDKs developed with a similar purpose activity, one of them was maintained by oneAudience and the second one from the marketing company MobiBurn.
The malicious SDKs were allegedly harvesting profile information, including names, genders, and email addresses.
“Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores,” a Facebook spokesperson told The Register.
“After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts.”
While oneAudience did not comment on the incident, MobiBurn published a statement denying that it is harvesting Facebook data and announced an investigation on third-party apps using its SDK.
“No data from Facebook is collected, shared or monetised by MobiBurn,” reads the statement. “MobiBurn primarily acts as an intermediary in the data business with its bundle, i.e., a collection of SDKs developed by third-party data monetisation companies. MobiBurn has no access to any data collected by mobile application developers nor does MobiBurn process or store such data. MobiBurn only facilitates the process by introducing mobile application developers to the data monetisation companies. This notwithstanding, MobiBurn stopped all its activities until our investigation on third parties is finalised.”
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
Pierluigi Paganini
November 26, 2019
