The data breach has ever been a massive issue for facebook. Recently Facebook and Twitter revealed that two discontinued SDKs secretly harvested their data from these platforms that can access their emails, username and personal data affected apps include Giant Square and Photofy. Still, neither of them has shared the list of infected services.
This issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application. “Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK.
Twitters’ Security Notice
Twitter confirmed that SDK harvested data for Android users, whereas IOS user’s remained safe. Twitter has also informed Google and Apple about the same.
Along with Twitter, Facebook has also confirmed the same that two malicious SDk’s harvested their user’s data while one of these was the same that affected Twitter.
oneAudience confirmed the problem and immediately shut down the SDK along with the associated website and said that data was never intended to be collected or never stored in the database.
Security researchers recently notified us about two bad SDK from One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in several apps available in popular app stores. After investigation, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We are planning to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email, and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts.
Facebook’s Statement
The vulnerability which is to do with a lack of isolation between SDK’s within apps researchers said that it could slip into the mobile environment and could exploit a vulnerability.
After this incident, the owners of both the SDKs have released their statement clarifying the issue.
Recently, we were advised that personal information from hundreds of mobile IDs may have been passed to our oneAudience platform. This data was never intended to be collected, never added to our database and never used.
Privacy statement from oneAudience
MobiBurn has no access to any data collected by mobile application developers nor does MobiBurn process or store such data.
Public announcement by MobiBurn
Facebook and Twitter have discontinued both the SDKs.
