Some of Facebook and Twitter users’ data may have been accessed by third-party Android app developers after users have logged in to certain Android apps from Google Play with their accounts. The cause would lie in a malicious sdk.
According to Facebook, security researchers recently reported on this potential security issue, which would target two companies, One Audience and Mobiburn, the social media company said in a statement to CNBC. These two companies allegedly paid developers to embed malicious SDKs into a number of apps. These would include Giant Square and Photofy.
Facebook says it removed the affected apps from its platform after an investigation and sent the two companies cease and desist letters. Facebook will also inform users if their user information is likely to have been shared after they have given the apps access to their profile information such as their name, email address and gender. Facebook urges users to exercise caution when choosing to allow third-party apps to access their social media accounts.
Twitter is also reporting this issue, emphasizing that the root cause is not a vulnerability in the proprietary software, but rather a lack of isolating SDKs within an app. According to Twitter, there was a malicious SDK that could embed itself into a mobile app, potentially exploiting a vulnerability in the mobile ecosystem to see email addresses, usernames and the latest Twitter message. Twitter says it has no evidence that this was actually used to take over someone’s Twitter account, although it was possible. While Twitter says it has no evidence that this has also affected Twitter users on iOS, the company has notified both Google and Apple of the affected SDK and will also notify potentially affected users.