A bug exposes data from hundreds of Facebook and Twitter users on Android

facebook-twitter

Recently Facebook and Twitter announced that data from "hundreds of users" may have been misused after their accounts were used to connect to Google Play Store applications on Android devices.

The companies received a report from security researchers who discovered that an SDK called OneAudience the gave third-party developers access to personal data. This includes the most recent email addresses, usernames, and tweets of people who have used their Twitter account to access apps like Giant Square and Photofy.

This issue is not due to a vulnerability from Twitter or Faceboo softwarek but the fact that the SDKs are not sufficiently isolated within an application.

The company also said that Someone could take control of someone else's Twitter account through this vulnerability, although there is no evidence that this has happened.

“We recently received a report about a malicious mobile SDK managed by oneAudience. We are informing you today because we believe it is our responsibility to warn you of incidents that may affect the security of your personal data or your Twitter account.

Our security team determined that the malicious SDK, which could be integrated into a mobile application, could exploit a vulnerability in the mobile ecosystem to allow access to personal information (email address, username, last Tweet). Although we have no evidence to suggest that the SDK was used to take over a Twitter account, it is possible that someone does.

“We found that this SDK was used to access the personal data of some Twitter account holders using Android. However, there is no evidence that the iOS version of this malicious SDK has targeted Twitter users for iOS.

“We have informed Google and Apple about the malicious SDK so that they can take further action if necessary. We also inform our other partners in the sector.

“We will directly notify Twitter for Android users who may be affected by this issue. You have no action to take at this time. However, if you think you have downloaded a malicious application from a third-party application store, we recommend that you remove it immediately.

This warning occurs when Facebook, Google, and Twitter are subject to heightened scrutiny by regulators, legislators, and users over the use of personal data by third-party developers to track and target consumers.

The issue has been particularly worrying since March 2018, when reports revealed that Cambridge Analytica had accessed 87 million Facebook profiles, in part to influence Donald Trump's 2016 US presidential election from the 2016 presidential election.

A Facebook spokesperson released the following statement on Monday's disclosure:

“Security researchers recently reported two flaws to us, One Audience and Mobiburn, they were abusing them by using malware development kits in various applications available from popular application stores.

After an investigation, we removed the applications from our platform for violating the rules of our platform and issued termination and suspension letters against One Audience and Mobiburn. We plan to notify individuals whose information we believe has likely been shared once they have granted these apps permission to access their profile information, such as their name, email address and email address, gender, among other information that have been collected.

Mobiburn issued a statement on Monday about the vulnerability, saying it doesn't collect data from Facebook as they argue that Mobiburn is just making the process easier by introducing data monetization companies to mobile app developers

"Despite this, Mobiburn ceased all activities until our third party investigation was completed," he said. Mobiburn.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.