Two third-party software development kits integrated by over hundreds of thousands of Android apps have been caught holding unauthorized access to users’ data associated with their connected social media accounts.
In a blog post published yesterday, Twitter revealed that an SDK developed by OneAudience contains a privacy-violating component which may have passed some of its users’ personal data to the OneAudience servers.
Following Twitter’s disclosure, Facebook today released a statement revealing that an SDK from another company, Mobiburn, is also under investigation for a similar malicious activity that might have exposed its users connected with certain Android apps to data collection firms.
Both OneAudience and Mobiburn are data monetization services that pay developers to integrate their SDKs into the apps, which then collect users’ behavioral data and then use it with advertisers for targeted marketing.
In general, third-party software development kits used for advertisement purposes are not supposed to have access to your personally identifiable information, account password, or secret access tokens generated during ‘Login with Facebook’ or ‘Login with Twitter’ process.
However, reportedly, both malicious SDKs contain the ability to stealthy and unauthorizedly harvest this personal data, which you otherwise had only authorized app developers to access from your Twitter or Facebook accounts.
“This issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application,” Twitter clarified while revealing about the data collection incident.
So, the range of exposed data is based upon the level of access affected users had provided while connecting their social media accounts to the vulnerable apps.
This data usually includes users’ email addresses, usernames, photos, tweets, as well as secret access tokens that could have been misused to take control of your connected social media accounts.
“While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so,” Twitter said.
“We have evidence that this SDK was used to access people’s personal data for at least some Twitter account holders using Android; however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS.”
Twitter has also informed Google and Apple about the malicious SDKs and suggested users to simply avoid downloading apps from third-party app stores and periodically review authorized apps.
images from Hacker News