Skip to main content

Private data of some Facebook and Twitter users leaked through malicious apps

On Monday, November 25, Facebook and Twitter said private data of “hundreds of their users” was compromised through malicious third-party Android apps. The social media companies were tipped off by a team of security researchers who discovered that a software developer kit called One Audience allowed developers to access personal information they weren’t supposed to.

In addition to data such as email addresses and usernames, the vulnerability also exposed users’ recent tweets if they logged into those bad apps with their Twitter account. While the report doesn’t share specifics on the Android apps, CNBC says popular photo-editing apps like Giant Square and Photofy may be among them — the former of which has already been taken down from the Google Play Store.

Recommended Videos

The issue, as one would expect, didn’t originate due to oversights in Twitter and Facebook’s frameworks. Instead, the companies suggest it was caused by the lack of sufficient isolation between software developer kits within a single app on Android.

The majority of apps today employ multiple external tools for enabling different services like advertising and analytics. Since, according to Twitter, there wasn’t a stringent set of security walls to separate each of those, the OneAudience SDK was able to tap into the rest.

“While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so,” added Twitter in a blog post.

“Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores. After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn,” said a Facebook spokesperson.

Even though Twitter has pinned the breach on Android’s shortcomings, it’s still unclear how the OneAudience SDK stole users’ private data. Authentication APIs by Facebook and Twitter are not supposed to directly share information with third-party partners in the first place. Facebook mentions the breach impacted users who granted a few app permissions before reading what they were giving up.

Twitter and Facebook have notified Google and Apple of the vulnerability but haven’t commented on whether they plan to reprogram their apps to prevent a breach like this from happening again in the future.

Earlier this month, a Facebook bug gave its app background access to iOS users’ cameras and a week before that, it was found that private data of thousands of Facebook group members had been compromised.

Shubham Agarwal
Shubham Agarwal is a freelance technology journalist from Ahmedabad, India. His work has previously appeared in Firstpost…
Bluesky finally adds a feature many had been waiting for
A blue sky with clouds.

Bluesky has been making a lot of progress in recent months by simplifying the process to sign up while at the same time rolling out a steady stream of new features.

As part of those continuing efforts, the social media app has just announced that users can now send direct messages (DMs).

Read more
Reddit just achieved something for the first time in its 20-year history
The Reddit logo.

Reddit’s on a roll. The social media platform has just turned a profit for the first time in its 20-year history, and now boasts a record 97.2 million daily active users, marking a year-over-year increase of 47%. A few times during the quarter, the figure topped 100 million, which Reddit CEO and co-founder Steve Huffman said in a letter to shareholders had been a “long-standing milestone” for the site.

The company, which went public in March, announced the news in its third-quarter earnings results on Tuesday.

Read more
Worried about the TikTok ban? This is how it might look on your phone
TikTok splash screen on an Android phone.

The US Supreme Court has decided to uphold a law that would see TikTok banned in the country on January 19. Now, the platform has issued an official statement, confirming that it will indeed shut down unless it gets some emergency relief from the outgoing president.

“Unless the Biden Administration immediately provides a definitive statement to satisfy the most critical service providers assuring non-enforcement, unfortunately TikTok will be forced to go dark on January 19,” said the company soon after the court’s verdict.
So, what does going dark mean?
So, far, there is no official statement on what exactly TikTok means by “going dark.” There is a lot of speculation out there on how exactly the app or website will look once TikTok shutters in the US.

Read more