Malicious SDK may have stolen personal data of Facebook, Twitter users

It seems like there has been yet another data leak. Both Facebook and Twitter have announced that the personal data of multiple users, who use their social media accounts to log into certain apps that were downloaded from the Google Play Store. 

In its official statement, Twitter noted that the vulnerability was not is Twitter’s software, but rather a lack of isolation between SDKs within an application. The micro-blogging site claims that the SDK maintained by oneAudience could be embedded within a mobile application, and could exploit a vulnerability in the mobile ecosystem. This could include access to personal information such as email, username, and last Tweet. Twitter also notes that while it could not find any evidence that the SDK was used to take over an account, it is possible to do so. However, it did find evidence that it was used to access personal data of some Twitter users on Android, but notes that there is no evidence that the iOS version of the SDK targeted people who use Twitter for iOS. Twitter also says that it informed both Google and Apple about the malicious SDK, so they those companies can also take the necessary action.

In a statement to CNBC, a Facebook spokesperson noted that there besides Oneaudience, Mobiburn was also developing malicious SDKs. Following its own investigation, Facebook claims that the apps have been removed from the platform and it has issued cease and desist letters against Oneaudience and Mobiburn. 

Both Facebook and Twitter plan to personally notify users affected by the issue. Twitter advises users to check which third-party apps users have authorised to their account and remove any that they do not recognise or no longer use. Facebook advises users to be more careful when selecting third-party apps to grant access to.



from Ten9Tech 1
Via Mishraji Technical
Powered by Blogger.