Image via Pixabay
Image via Pixabay
Facebook and Twitter both announced this week that the personal data of thousands of users may have been compromised in a recent breach involving malicious mobile software development kits (SDK).
Twitter hasn’t shared any figures yet. Facebook, on the other hand, confirmed that thousands of users were affected. In addition, the company said they’ll be notifying more than 9 million users of the breach.
The social media giant recently received a report about a malicious SDK maintained oneAudience. According to Twitter, it issue is not due to a vulnerability in Twitter’s software.
The vulnerability was traced back to oneAudience and its lack of isolation between SDKs within third party applications. A spokesperson for Twitter explains:
“Our security team has determined that the malicious SDK; which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK. While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so.”
Twitter informed both Google and Apple about the malicious SDK and will be notifying Twitters users in due course. Twitter advises to delete any third party apps you may have installed recently:
“There is nothing for you to do at this time. But if you think you may have downloaded a malicious application from a third-party app store, we recommend you delete it immediately.”
Facebook said in a statement to CNBC that two “bad actors” were identified on their platform, namely oneAudience and Mobiburn. According to the spokesperson, these companies were paying developers to use malicious SDKs.
“After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn.”
Facebook also confirmed to Engadget that they’ll be informing more than 9.5m Facebook users that their personal data may have potentially been breached.
Facebook echoed Twitter’s warning about installing and using third-party apps: “We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts.”
Mobiburn addressed the vulnerability:
“Mobiburn only facilitates the process by introducing mobile application developers to the data monetization companies. This notwithstanding, Mobiburn stopped all its activities until our investigation on third parties is finalized.”
oneAudience released a statement saying it will be shutting down its SKD with immediate effect. The company claims it was never their intention to collect data:
“This data was never intended to be collected, never added to our database and never used.”