Skip to main content

Private data of some Facebook and Twitter users leaked through malicious apps

On Monday, November 25, Facebook and Twitter said private data of “hundreds of their users” was compromised through malicious third-party Android apps. The social media companies were tipped off by a team of security researchers who discovered that a software developer kit called One Audience allowed developers to access personal information they weren’t supposed to.

In addition to data such as email addresses and usernames, the vulnerability also exposed users’ recent tweets if they logged into those bad apps with their Twitter account. While the report doesn’t share specifics on the Android apps, CNBC says popular photo-editing apps like Giant Square and Photofy may be among them — the former of which has already been taken down from the Google Play Store.

Related Videos

The issue, as one would expect, didn’t originate due to oversights in Twitter and Facebook’s frameworks. Instead, the companies suggest it was caused by the lack of sufficient isolation between software developer kits within a single app on Android.

The majority of apps today employ multiple external tools for enabling different services like advertising and analytics. Since, according to Twitter, there wasn’t a stringent set of security walls to separate each of those, the OneAudience SDK was able to tap into the rest.

“While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so,” added Twitter in a blog post.

“Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores. After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn,” said a Facebook spokesperson.

Even though Twitter has pinned the breach on Android’s shortcomings, it’s still unclear how the OneAudience SDK stole users’ private data. Authentication APIs by Facebook and Twitter are not supposed to directly share information with third-party partners in the first place. Facebook mentions the breach impacted users who granted a few app permissions before reading what they were giving up.

Twitter and Facebook have notified Google and Apple of the vulnerability but haven’t commented on whether they plan to reprogram their apps to prevent a breach like this from happening again in the future.

Earlier this month, a Facebook bug gave its app background access to iOS users’ cameras and a week before that, it was found that private data of thousands of Facebook group members had been compromised.

Editors' Recommendations

Twitter finally confirms it’s behind outage of third-party Twitter apps
A stylized composite of the Twitter logo.

Twitter has finally confirmed what everyone pretty much already knew -- that it’s behind the outage of popular third-party Twitter clients such as Tweetbot and Twitterrific.

In a message posted on its Twitter Dev account for developers, the company said: “Twitter is enforcing its long-standing API rules. That may result in some apps not working.” But it declined to offer any details about what API rules the developers of the third-party apps have violated.

Read more
Thanks to Tapbots’ Ivory app, I’m finally ready to ditch Twitter for good
Profile displayed in Ivory app

Ever since Elon Musk took ownership of Twitter, it’s been one chaotic new thing after another. You literally cannot go a day (or a few days or even a week) without some stupid new change to the site — whether it’s about checkmarks for verified or Twitter Blue subscriber accounts, how links to other social networks are banned and then reversed, view counts on Tweets, or something else. I can’t keep up with every little thing that has happened since the beginning of November, and it feels like the spotlight is always on the toxicity of the site in general.

New Twitter alternatives have been popping up recently, but it seems that the most popular one continues to be Mastodon. I originally made a Mastodon account back in 2018 when it first launched, but it never clicked with me back then, and I eventually went back to Twitter. With the Musk mess, I tried going back to Mastodon, but again, it didn’t really click with me — until Tweetbot developer, Tapbots, revealed its next project: Ivory.
The significance of Tapbots and Tweetbot

Read more
Elon Musk just did something uncontroversial at Twitter
Twitter logo in white stacked on top of a blue stylized background with the Twitter logo repeating in shades of blue.

Elon Musk has unveiled a new Twitter feature that lets you see how many times a tweet has been viewed.

The company's new owner and CEO posted about the feature on Thursday, noting that it’s similar to how the platform already shows view counts for videos.

Read more