Some data from users of Facebook and Twitter may have been viewed by external developers of Android apps after the users have logged in with their accounts in certain Android apps from Google Play. The cause would be a malicious SDK.
According to Facebook, security researchers have recently reported this potential security issue, which would focus on two companies, One Audience and Mobiburn, the social media company reported in a statement to CNBC. These two companies would have paid developers to build in malicious SDKs in a number of apps. This would include Giant Square and Photofy.
Facebook says it has removed the apps in question from its platform after investigation and has sent the two companies to cease and desist letters. Facebook will also inform users if their user information is likely to be shared after they have given the apps access to their profile information such as their name, e-mail address and gender. Facebook calls on users to be careful when they choose to give third-party apps access to their social media accounts.
Twitter is also reporting this issue, whereby it emphasizes that the cause is not a vulnerability in its own software, but rather a lack of isolating SDK’s within an app. According to Twitter, there was a malicious SDK that could embed itself in a mobile app, after which a vulnerability in the mobile ecosystem could potentially be exploited to view email addresses, usernames, and the latest Twitter message. Twitter says it has no proof that this was actually used to take over someone’s Twitter account, although that was possible. Even though Twitter says it has no evidence that this has also played with Twitter users on iOS, the company has informed both Google and Apple of the SDK in question and is also going to inform potentially affected users.