San Francisco: In yet another data breach, Facebook and Twitter have admitted that data of hundreds of users was improperly accessed by some third-party apps on Google Play Store as they logged into those apps.
Security researchers discovered that the One Audience and Mobiburn software development kits (SDK) provided access to users' data, including email addresses, usernames, and recent tweets, on both the platforms. Twitter and Facebook said they will notify those whose information was likely shared through apps.
"We recently received a report about a malicious mobile software development kit (SDK) maintained by One Audience. We are informing you about this today because we believe we have a responsibility to inform you of incidents that may impact the safety of your personal data or Twitter account," the micro-blogging platform said in a statement late Monday. The companies were notified of the vulnerability by third-party security researchers.
A Facebook spokesperson told The Verge: "After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn". “We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender". At the moment, it looks iOS users were not impacted.
According to Twitter, this issue is not due to a vulnerability in Twitter's software, but rather the lack of isolation between SDKs within an application. "We have evidence that this SDK was used to access people's personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS," said Twitter. Twitter has informed Google and Apple about the malicious SDK so they can take further action if needed.
"We will be directly notifying people who use Twitter for Android who may have been impacted by this issue," it added. Earlier this month, Facebook revealed that at least 100 app developers may have accessed Facebook users' data for months, confirming that at least 11 partners "accessed group members" information in the last 60 days".
The social networking giant found that the apps -- primarily social media management and video streaming apps -- retained access to group member information, like names and profile pictures in connection with group activity, from the Groups API (application programming interface). According to the company, the apps designed to make it easier for group admins to manage their groups more effectively and help members share videos to their groups.