SUMMARY
Third-party applications supplied user information to OneAudience and Mobiburn
These third-party apps used malicious software developer kits (SDKs)
Both Facebook and Twitter have confirmed the breach
At a time, when WhatsApp is being criticised in connection with the Pegasus snooping controversy, Facebook, along with Twitter, is back in news for another privacy breach incident.
According to an advisory issued by cybersecurity watchdog, Indian computer emergency response team (Cert-In), malicious third-party applications have reportedly leaked personal data of Facebook and Twitter users, as per a Business Insider (BI) report. Notably, India is among the largest markets for both Facebook and Twitter.
The Cert-In’s advisory read that these third-party applications, violating the privacy policy of these social media companies, installed some software in mobile applications of Facebook and Twitter which gathered and shared information to two companies — OneAudience and Mobiburn.
“It has been reported that personal data of Facebook and Twitter users were improperly accessed by a pair of malicious software developer kits (SDKs) used in certain third-party apps,” the advisory added.
On how the privacy breach occurred, Facebook told BI that the security researchers recently notified the company about OneAudience and Mobiburn paying developers to use malicious SDKs in their apps, which are available in popular app stores such as Google Play Store and Apple Store.
Further, Twitter while revealing about the privacy incident, said that the SDK developed by OneAudience carried a privacy-violating component which may have passed some of its users’ personal information — email, username, tweet, among others — to OneAudience servers. The microblogging platform also clarified that the breach has not happened due to a vulnerability in Twitter’s software but it was a glitch in the integration of the SDKs which revealed its users’ data to OneAudience.
While Twitter has accepted and has got evidence that this SDK was used to access its android users’ personal data, the company, in a blog post said that it hasn’t found any evidence of the privacy breach for users on the iOS version of its app.
Twitter has further informed Google and Apple about the malicious SDK so that they can take further action. “We have also informed other industry partners about this issue,” Said Twitter.
Meanwhile, Facebook’s spokesperson reportedly said that after an investigation, the company has removed the apps, which violated its platform’s policies. The social media company has also issued cease and desist letters against One Audience and Mobiburn.
While as of now neither of these social media company has notified their users, whose privacy was compromised by this breach, Facebook has said that it plans to carry out the process soon.
Facebook recently found itself in the eye of the storm after its subsidiary, WhatsApp, was found to be involved in a data breach incident which compromised the privacy of over a dozen users, which included academicians, lawyers, journalists and activists in India.
