Facebook, Twitter profiles slurped by mobile apps using malicious SDKs
On Monday, Twitter and Facebook both claimed that bad apples in the app stores had been slurping hundreds of users’ profile data without permission.
After getting tipped off by security researchers, the platforms blamed a “malicious” pair of software development kits (SDKs) – from marketing outfits One Audience and MobiBurn – used by the third-party iOS and Android apps to display ads. Neither Twitter nor Facebook have named names of the data-sucking apps, nor how many bad apps they’ve found.
Twitter said that this wasn’t enabled by any bug on its platform. Rather, after getting a heads-up from security researchers, its own security team found that the malicious SDK from One Audience could potentially slip into the “mobile ecosystem” to exploit a vulnerability.
That vulnerability – which is to do with a lack of isolation between SDKs within an app – could enable the malicious SDK to slurp personal information, including email, username, and last tweet. Twitter hasn’t found any evidence that any accounts got hijacked due to the malicious SDKs, mind you, but that’s what the vulnerability could have led to.
While Twitter hasn’t found any account takeovers, it’s found evidence of slurping. The unauthorized data grab was just done to Android user profiles, via unspecified Android apps:
We have evidence that this SDK was used to access people’s personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS.
Facebook, however, said in a statement that it was suffering at the hands of both those bad SDKs, both of which it’s told to cease and desist:
Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores. After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn.
Facebook plans to notify the people whose personal data – including name, email and gender – was likely swiped after they gave permission for apps to access their profile information. Twitter says it’s informed Google and Apple about the malicious SDK, so they can take further action if needed, as well as other industry partners.