Personal data of ‘hundreds of users’ may have been accessed by third-party developers, Facebook and Twitter have announced. According to the companies, the data of users was exposed after their accounts were used for logging into Google Play Store apps on Android devices. There is no confirmation on whether the personal information of iOS users was compromised. The tech giants were reportedly notified of the vulnerability by third-party security researchers, Twitter said in a blog post.
The researchers found that that a development kit named One Audience and Mobiburn gave third-party developers access to personal information, including usernames and email addresses of the users as well as to recent tweets of those who used their Twitter accounts to access apps including Giant Square and Photofy. This means that their was not loophole on the companies' part (or apps) but through a third-party SDK (software developer kits).
Twitter said that the ‘issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application.’ ‘We think it’s important for people to be aware that this exists out there and that they review the apps that they use to connect to their accounts,’ CNBC quoted Lindsay McCallum, a Twitter spokeswoman, as saying. Twitter said it will inform users who were affected, and that they have also notified Google and Apple about the vulnerability.
Facebook said that after investigating, they removed the apps from the platform for violating its platform policies and issued cease and desist letters against One Audience and Mobiburn. ‘We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts,’ The Verge quoted Facebook as saying.
Meanwhile, Mobiburn said that it does not collect, share or monetise data from Facebook. ‘Mobiburn only facilitates the process by introducing mobile application developers to the data monetisation companies. This notwithstanding, Mobiburn stopped all its activities until our investigation on third parties is finalized,’ it told CNBC.