Twitter and Facebook are warning of software development kits (SDKs) that could be embedded within a mobile application and used to harvest personal user information.
The SDKs, which the tech giants said are maintained by oneAudience and MobiBurn, could be used by mobile app developers to craft malicious applications that ask for permission to access social-media information. From there, the apps can scrape profile information, such as email addresses, usernames, gender, last tweets and so on, according to Twitter.
“We have evidence that [the oneAudience] SDK was used to access people’s personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS,” said Twitter, in a website notice. It added that such specially crafted mobile apps essentially are able to exploit a vulnerability in the mobile ecosystem – the lack of isolation between different SDKs within an application.
The activity violates both companies’ data privacy policies, which prohibit allowing third parties to harvest profile information for data monetization purposes. That was a change implemented in the wake of the Cambridge Analytica scandal, in which Facebook allowed a third-party application to scrape and then hand over the data of up to 50 million platform users to the company. That data was then combined with other data to create highly detailed profiles that the Trump campaign used to micro-target population segments with 2016 election messaging.
Twitter informed Google and Apple about the issue, it said.
Facebook characterized the SDK-makers as actively participating in malicious activity.
“Security researchers recently notified us about two bad actors, One Audience and MobiBurn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores,” according a media statement it gave to CNBC. “After investigating, we removed the apps from our platform for violating our platform policies and issued cease-and-desist letters against One Audience and MobiBurn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social-media accounts.”
For its part, MobiBurn discontinued its SDK and posted a statement saying that does not collect, share or monetize data from Facebook.
“Mobiburn only facilitates the process by introducing mobile application developers to the data monetization companies,” it said. “This notwithstanding, Mobiburn stopped all its activities until our investigation on third parties is finalized.”
Neither SDK company immediately responded to a request for comment from Threatpost.
Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.