Third-party SDKs secretly collected data from Twitter and Facebook users

This week it became known that due to the use of third-party SDKs, the data of Twitter and Facebook users leaked to the side (of course, without any knowledge).

SDK (software development kit) is a set of developmental tools that allows software specialists to create applications for a specific software package, basic development software, hardware platform, computer system, game consoles, operating systems and other platforms.

On Monday, Twitter representatives reported that the company received a warning regarding the SDK analytic platform OneAudience. This company is developing a mobile SDK for Android and iOS applications that collects user data to provide developers with additional information about their audience.

As it turned out, the company’s SDK contained features that allowed Twitter users to collect sensitive information without permission. Twitter developers emphasized that it was not a vulnerability in their application, but the lack of isolation between the SDKs inside it.

“This issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application. Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information”, — report Twitter representatives.

In fact, when users installed an application on their device and then used the “Login via Twitter” function to log in, the SDK secretly collected Twitter profile information.

Worse, the social network said it had “evidence that the SDK was used to access people’s personal data.” The information gathered included email, username and his last tweet. According to CNBC, at least two applications have been discovered with such behavior: Giant Square and Photofy.

Twitter does not report exactly how many users were affected by this problem, but it is known that only Android users were affected. Twitter representatives notified Google and Apple about what was happening, so now application owners can take action on their own with applications containing the OneAudience SDK.

Facebook also faced a similar problem, only in this case two SDKs collected information about users at once: with the aforementioned OneAudience SDK, as well as with the MobiBurn data monetization SDK.

Read also: Chinese experts talked about cyberattacks on Kazakhstan companies and organizations

Data collection occurred in the same way as in the case of Twitter: if the user associated a third-party application with his Facebook account, the SDK secretly collected personal user data, including name, email address and gender.

After the investigation was completed, the social network removed an application that was violating rules from its platform, and also sent written warnings to the developers of One Audience and Mobiburn.

Representatives of One Audience and Mobiburn have already published official statements in which they assure that they only provided the application developers with the appropriate tools, but did not participate in the data collection.

“Recently, we were advised that personal information from hundreds of mobile IDs may have been passed to our oneAudience platform. This data was never intended to be collected, never added to our database and never used”, — claim One Audience and Mobiburn representatives.

In fact, companies blame developers who allegedly abused the SDK. Currently, after receiving a warning from Facebook, both companies have temporarily stopped developing the SDK, and it is are no longer available for download until the investigation is completed and the situation is resolved.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

James Brown

Technology news writer and part-time security researcher. Author of how-to articles related to Windows computer issue solving.

Related Articles

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button