Stop us if you've heard this one: Facebook and Twitter profiles silently slurped by shady code

Rogue SDKs covertly harvested personal info, it is claimed

A mobile phone collecting a woman's profile information

Twitter and Facebook on Monday claimed some third-party apps quietly collected swathes of personal information from people's accounts without permission.

The antisocial networks blamed the data slurp on what they termed a pair of "malicious" software development kits (SDKs) used by the third-party iOS and Android apps to display ads. Once a user was logged into either service using one of these applications, the embedded SDK could silently access that user's profile and covertly collect information, it is claimed.

In the case of Twitter, the offending SDK was built and maintained by marketing house oneAudience, and was allegedly caught collecting user names, email addresses, and Tweets via unspecified Android apps.

"We have evidence that this SDK was used to access people’s personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS," Twitter said in announcing the incident.

"We have informed Google and Apple about the malicious SDK so they can take further action if needed. We have also informed other industry partners about this issue."

Facebook, meanwhile, says it has had to shut down two SDKs for similar activity: both the oneAudience SDK and an SDK from marketing company MobiBurn were allegedly found to be harvesting profile information including names, genders, and email addresses when used in third-party apps.

"Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores," a Facebook spokesperson told The Register.

Facebook

PSA: You are now in the timeline where Facebook and pals are torn a new one by, er, Borat star Sacha Baron Cohen

READ MORE

"After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts."

Spokespeople for oneAudience declined to comment. Meanwhile, MobiBurn has issued a public statement on the matter.

"No data from Facebook is collected, shared or monetised by MobiBurn," it said. "MobiBurn primarily acts as an intermediary in the data business with its bundle, i.e., a collection of SDKs developed by third-party data monetisation companies. MobiBurn has no access to any data collected by mobile application developers nor does MobiBurn process or store such data. MobiBurn only facilitates the process by introducing mobile application developers to the data monetisation companies. This notwithstanding, MobiBurn stopped all its activities until our investigation on third parties is finalised."

At this point, these sort of personal data disclosures are nothing new for users of social networking sites. The loss of netizens' personal and profile information has been documented on nearly all of the major networks over the years, and execs have been taken to task by governments around the world for failing to properly secure personal data.

This latest incident brings back memories of the largest of those data thefts: the 2016 collection of Facebook information by political marketing strategists at Cambridge Analytica. In that case, tens of millions of user profiles were combed through for personal information that was then used to place highly-targeted campaign ads. ®

Sponsored: From CDO to CEO

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019