Skip to main content

Caught Again Accessing Facebook and Twitter Users Data in a Malicious Android SDKs

Facebook Twitter Malicious SDK

Two third-party software development kits integrated by over hundreds of thousands of Android apps have been caught holding unauthorized access to users' data associated with their connected social media accounts.

In a blog post published a week before, Twitter revealed that an SDK developed by OneAudience contains a privacy-violating component which may have passed some of its users' personal data to the OneAudience servers.

Following Twitter's disclosure, Facebook today released a statement revealing that an SDK from another company, Mobiburn, is also under investigation for a similar malicious activity that might have exposed its users connected with certain Android apps to data collection firms.

Both OneAudience and Mobiburn are data monetization services that pay developers to integrate their SDKs into the apps, which then collect users' behavioral data and then use it with advertisers for targeted marketing.

In general, third-party software development kits used for advertisement purposes are not supposed to have access to your personally identifiable information, account password, or secret access tokens generated during 'Login with Facebook' or 'Login with Twitter' process.

However, reportedly, both malicious SDKs contain the ability to stealthy and unauthorizedly harvest this personal data, which you otherwise had only authorized app developers to access from your Twitter or Facebook accounts.

"This issue is not due to a vulnerability in Twitter's software, but rather the lack of isolation between SDKs within an application," Twitter clarified while revealing about the data collection incident.

So, the range of exposed data is based upon the level of access affected users had provided while connecting their social media accounts to the vulnerable apps.

This data usually includes users' email addresses, usernames, photos, tweets, as well as secret access tokens that could have been misused to take control of your connected social media accounts.

"While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so," Twitter said.

"We have evidence that this SDK was used to access people's personal data for at least some Twitter account holders using Android; however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS."

Twitter has also informed Google and Apple about the malicious SDKs and suggested users to simply avoid downloading apps from third-party app stores and periodically review authorized apps.

Meanwhile, in a statement provided to CNBC, Facebook confirmed that it had already removed the apps from its platform for violating its policies and issued cease and desist letters against both One Audience and Mobiburn.

"Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores," Facebook said.

In response to this, OneAudience announced to shut down its SDK and also provided a statement saying, "this data was never intended to be collected, never added to our database and never used."

"We proactively updated our SDK to make sure that this information could not be collected on November 13, 2019. We then pushed the new version of the SDK to our developer partners and required that they update to this new version," OneAudience said.

Both social media companies are now planning to shortly inform their users who may have been impacted by this issue.

Comments

Popular posts from this blog

10 Best Forum Software For Webmasters

10 Best Forum Software For Webmasters Do you want to create your online discussion forum or online community where people can discuss about their favorite topics? In this article, you can see 10 best forum software (scripts for setting up discussion forums) that can be used free of cost. Although some scripts are paid but rest of these forum scripts are free to use.You only need to buy hosting space and domain name for your website and after then you can install any of these forum scripts to start your own discussion forums on the internet. Online discussion forums generate huge page views because thousands of people want to join online discussion forums to ask questions or share knowledge. Some of online marketers join forums to discuss about their products with community members. You don't need to acquire any kind of technical skill to run a professional discussion forums because these days, almost all web hosting providers offer one click script installer which h...

|Bypass Symlink on 2013 Server With Different .htaccess and Methods by Sen Haxor |

Hi, Guys,  Please a wonderfull tutorial provided bt Sem;\  Today I gonna Explain how to bypass Symlink on 2013 Server With Different .htaccess and Methods. So let's Get Started :) Note: This method is not applicable for Godaddy, Bluehost, Hostgator and Hostmonstor Servers. For This First You Need the Following Files : 1 -> Sen Haxor CGI Shell 2 -> sen.zip 3 -> passwd-bypass.php 4 -> Turbo Brute force Cpanel 5 - > Port.py First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server . Use the Following Code : Make a php.ini with the following code safe_mode=Off And ini.php with <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo...

How to Hack WhatsApp using just a GIF

A picture is worth a thousand words, but a GIF is worth a thousand pictures. Today, the short looping clips, GIFs are everywhere—on your social media, on your message boards, on your chats, helping users perfectly express their emotions, making people laugh, and reliving a highlight. But what if an innocent-looking GIF greeting with Good morning, Happy Birthday, or Merry Christmas message hacks your smartphone? Well, not a theoretical idea anymore. WhatsApp has recently patched a critical security vulnerability in its app for Android, which remained unpatched for at least 3 months after being discovered, and if exploited, could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. WhatsApp Remote Code Execution Vulnerability The vulnerability, tracked as  CVE-2019-11932 , is a double-free memory corruption bug that doesn't actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that What...