'SDK Issue' May Have Leaked Data Of Hundreds Of Users, Said Twitter And Facebook

Mobile spying

When user information are shared between services, there can be some holes that leak information.

According to Facebook and Twitter, the companies announced that personal data of hundreds of users may have been improperly accessed after they used their accounts to log into certain Android apps.

The companies realized this when they received a report from security researchers who discovered that a software development kit (SDK) named 'One Audience' gave third-party developers access to personal data.

The data that leaks include users' email addresses, usernames and most recent tweets of people who used their Twitter accounts to access apps including Giant Square and Photofy.

While the companies initially didn't find evidence of information misuse, Twitter said that it may have been possible for a hacker to take control of someone else's account by exploiting this vulnerability.

According to Lindsay McCallum, a Twitter spokeswoman:

"We think it's important for people to be aware that this exists out there and that they review the apps that they use to connect to their accounts."

And according to a Facebook spokesperson regarding the disclosure:

"Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores. After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts."
Stealing data
Credit: wildpixel/iStock

This issue isn't caused by vulnerabilities on the platforms, but instead caused by "SDK issue", explained Twitter on its post.. Or to be exact, the "lack of isolation between SDKs within an application."

Exploiting the vulnerability, hackers could use and embed a malicious SDK into apps, to then use this to access and steal personal information of users.

"We have informed Google and Apple about the malicious SDK so they can take further action if needed. We have also informed other industry partners about this issue," said Twitter, adding that "we will be directly notifying people who use Twitter for Android who may have been impacted by this issue."

As for end users, there is practically nothing they can do to prevent potential breach, if it happened. This is because everything happened in the backend.

However, if they may have downloaded a malicious app from third-party app store, "we recommend you delete it immediately," said Twitter.

Another way of doing it, on Twitter, users can go to settings and navigate to 'Apps and sessions' to see a list of all third-party apps that have authorized access to their accounts. if ever there is an app that isn't recognized or no longer in use, "we recommend revoking their access to keep your account secure."

This incident happens as Facebook, Google and Twitter are all facing heightened scrutiny from regulators, lawmakers and users for the ways they share users' personal data to third-parties.

This kind of issue has been a particular concern since March 2018, when reports surfaced that analytics firm Cambridge Analytica improperly accessed up to 87 million Facebook profiles, in part to target ads for Donald Trump in the 2016 presidential election.