Malicious third party apps leak personal data from Facebook, Twitter

Personal data of Facebook and Twitter users have been leaked to third parties by malicious applications, said an advisory issued by cybersecurity watchdog Cert-In. However, it has not disclosed its impact on the subscribers in India, which is among the largest market for Facebook and Twitter.

The apps violated Facebook’s platform policy by installing software in their platforms and by sending information to two companies — OneAudience and Mobiburn, the advisory said. The information sent to these companies is dependent on what a user may have shared with the app developer, to access their profile information, it added.

Also read | Facebook agrees to pay $5 billion penalty for privacy violations

Twitter shared that a software development kit (SDK) developed by OneAudience contains privacy-violating component which may have passed some of its users’ personal information like email, username, tweet to OneAudience servers, the advisory said.

“It has been reported that personal data of Facebook and Twitter users were improperly accessed by a pair of malicious SDKs used in certain third-party apps,” Cert-in said in the advisory note on November 27.

Also read | Anticipated privacy fine dents Facebook’s profit

When contacted, Facebook said that security researchers recently notified the company about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores.

“After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against OneAudience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender,” Facebook spokesperson said.

Also read | Govt working on law to hold social media platforms accountable

Twitter said the breach has not happened due to a vulnerability in Twitter’s software, but rather the “lack of isolation between SDKs within an application”.

“We have evidence that this SDK was used to access people’s personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS,” Twitter said in a blogpost.

It further said that the microblogging platform has also informed Google and Apple about the malicious SDK so they can take further action if needed. “We have also informed other industry partners about this issue,” Twitter said.