Independent researchers recently found out that 2 software development kits, the One Audience and Mobiburn provided access to users’ data on Twitter and Facebook to third party developers. This Data included email addresses, usernames, and recent tweets/posts on both the platforms. Both social media giants have given statements that they will inform users whose data might have been affected and that they will be improving security.
Many apps allow a user to login using their Twitter or Facebook credentials. If a user logged in to apps running OneAudience or Mobiburn using their Twitter or Facebook credentials then their data may be accessible by third party developers.
“We recently received a report about a malicious mobile software development kit (SDK) maintained by OneAudience. We are informing you about this today because we believe we have a responsibility to inform you of incidents that may impact the safety of your personal data or Twitter account. This issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application. Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK. While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so.” Twitter said in a statement.
Twitter also mentioned that they have informed Google and Apple about the malicious SDK so the companies can take actions if required to protect users.
Facebook also made a statement saying that “After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender.”
Currently it does not look like iOS users were affected by this data breach. This is not the first time we have heard about a data breach like this. If you come across an app that is asking you for extra access to your private data and phone settings, it is better not install that app, even if it is from a known source.
For the latest gadget and tech news, and gadget reviews, follow us on Twitter, Facebook and Instagram. For newest tech & gadget videos subscribe to our YouTube Channel. You can also stay up to date using the Gadget Bridge Android App.
