Two Discontinued Software Development Kits Found Secretly Harvesting Data From Facebook And Twitter

While data harvesting has always been a problem for Facebook, a recent incident also involved Twitter. Reportedly, Facebook and Twitter confirmed how two discontinued software development kits (SDKs) harvested users’ data from these platforms.

Facebook, Twitter Data Secretly Harvested

Facebook and Twitter have once again made it to the news owing to an indirect data security incident. As revealed, two recently discontinued SDKs secretly harvested data from the two platforms.

Incident With Twitter

Twitter revealed that the malicious SDK from OneAudience allowed third-party app developers to harvest users’ data. According to CNBC, the apps exhibiting this behavior included Photofy and Giant Square.

According to Twitter’s security notice,

This issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application. Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK.

Twitter confirmed that the SDK harvested data for some Twitter for Android users. Whereas, Twitter for iOS users remained safe. Twitter is reportedly notifying Android users potentially impacted during this incident.

Moreover, they have also informed Google and Apple about the matter.

Incident With Facebook

Alongside Twitter, Facebook has also confirmed the security incident in its statement to CNBC. They have mentioned two malicious SDKs that harvested Facebook users’ data. While one of these is the same that affected Twitter, OneAudience, the other is from the data monetization platform MobiBurn.

Facebook also assured removing the apps from their platform which used the malicious SDKs. Also, they intend to inform the users affected during this incident.

Below is Facebook’s statement from their spokesperson to CNBC,

Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores. After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email, and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts.

Two Guilty SDKs Discontinued

After the news surfaced online, the owners of both SDKs released their statements clarifying the matter. Both the firms assured that their SDKs were not intended to collect users’ data the way they did.

As mentioned in the privacy statement from oneAudience,

Recently, we were advised that personal information from hundreds of mobile IDs may have been passed to our oneAudience platform. This data was never intended to be collected, never added to our database and never used.

Moreover, MobiBurn has also clarified the same in their public announcement,

MobiBurn has no access to any data collected by mobile application developers nor does MobiBurn process or store such data.

Both the firms have discontinued their SDKs.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients