In yet another data breach, Facebook and Twitter have admitted that data of hundreds of users was improperly accessed. The companies clarified that some third-party apps on the Google Play Store were behind this improper access when users logged into the apps. Security researchers discovered that the One Audience and Mobiburn software development kits (SDK) provided access to users’ data. The problematic apps were able to access information including email addresses, usernames, and recent tweets, on both the platforms. Twitter and Facebook said they will notify the people affected by these apps.
Data Breach details
Twitter issued a statement on Monday in response to this incident. It stated, “We recently received a report about a malicious mobile software development kit (SDK) maintained by One Audience. We are informing you about this today because we believe we have a responsibility to inform you of incidents that may impact the safety of your personal data or Twitter account.” Third-party security researchers were the first to notify Facebook and Twitter about the vulnerability.
Watch: Samsung Galaxy Watch LTE Review
A Facebook spokesperson also issued a statement regarding the incident. The spokesperson added, “After investigating, we removed the apps from our platform for violating our platform policies.” It has also issued cease and desist letters against One Audience and Mobiburn. Facebook also plans to notify the users affected by this data breach. It is also worth noting that the victims of the data breach gave the problematic apps, access to their profile information. The report noted that iOS users do not seem to be affected.
Twitter indicated that this data breach was not likely due to a vulnerability in the official Twitter app for Android. Instead, it was likely because of “lack of isolation between SDKs” in an app. iOS version of this SDK does not seem to affect Twitter for iOS users. The company has already informed Google and Apple regarding the SDK for any further action.
Not the first time
This is not the first case of improper user data access. For context, Facebook revealed that “at least 100 app developers” accessed user data for months. The company also stated that “at least 11 partners” accessed the “group members” information in the last 60 days. Most of these apps were related to social media management, and video streaming. The information includes names, and profile pictures using Groups API. Earlier, we saw a similar situation with the Cambridge Analytica scandal.
With inputs from IANS.