Twitter, Facebook User Data Improperly Accessed via Malicious SDKs

Twitter and Facebook this week took action against malicious mobile software development kits (SDKs) that were used to improperly access user data.

Both companies have confirmed that, upon receiving reports of the malicious tools, they conducted their own investigations and concluded that the SDKs were indeed malicious. Users who downloaded and installed applications that employ these kits have been impacted.

In a blog post on Monday, Twitter revealed that the malicious SDK that affected some of its users came from oneAudience. The kit could be used to access user data and possibly take over accounts, but the platform says it has no evidence that the latter has occurred.

“We have evidence that this SDK was used to access people’s personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS,” Twitter announced.

The social platform says it will inform potentially impacted Android users and suggested that users should not only delete third-party apps that might be malicious, but also review and revoke permissions granted to those apps.

Facebook confirmed that two malicious kits were used to target the information of its users: the oneAudience and Mobiburn SDKs. The company has already removed the apps employing these tools and issued cease and desist letters against the offending platforms.

“Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores. After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn,” a Facebook spokesperson said in an emailed statement.

“We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts,” the spokesperson added.

On its website, MobiBurn has posted a note claiming that it does not collect, share, or modify data from Facebook.

“MobiBurn primarily acts as an intermediary in the data business with its bundle, i.e., a collection of SDKs developed by third-party data monetisation companies. MobiBurn has no access to any data collected by mobile application developers nor does MobiBurn process or store such data. MobiBurn only facilitates the process by introducing mobile application developers to the data monetisation companies,” the company says.

Both Google and Apple have been informed about the findings, and they could take further action against applications using the malicious SDKs.

Related: Facebook: Third-Party App Developers Improperly Accessed User Information

Related: Twitter Admits Phone Numbers Meant for Security Used for Ads