Another Data Leak from Facebook, Twitter?

Though this time it isn’t the fault of these social platforms as the data exposure due to a bug in the app store for Android

 

Security researchers informed Twitter and Facebook late last night of a possible data exposure from these two platforms that may impact hundreds of its users. The leak could have occurred after these users logged into certain Android apps downloaded from Google Play Store, resulting in improper access of their digital data.

Reports of the data compromise was broken by CNBC on its website which said that the security researchers discovered a software development kit (SDK) called One Audience that purportedly gave third-party developers access to personal data. This includes the email addresses, user names and most recent tweets of people who used their Twitter IDs to access apps such as Photofy.

However, the report was also quick to point out that while it may have been possible for hackers to take control of someone’s Twitter account through this vulnerability, there is no evidence of such an instance happening in the present case. However, Twitter was quick to blog about the issue and informing users to beware of the SDK and its malicious intent while clarifying that it wasn’t its fault.

“This issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application. Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK. While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so,” Twitter said in the blog post.

It also said that while there was some evidence that the SDK was used to access personal data via Twitter accounts of holders using Android phones, there was no evidence of the same happening via the iOS version. “We have informed Google and Apple about the malicious SDK so that they can take further action if needed. We have also informed other industry partners about this issue,” Twitter said.

The latest scare for Android smartphone users comes on top of a recent research report that warned users about how clunky and mostly useless apps that comes pre-loaded on an android phone could be full of security holes. The research carried out using tools to auto-scan such devices as part of a US government study suggested that even Samsung and Sony phones could be vulnerable.

The social media companies and Google have been facing tough times since March 2018 when reports of analytics firm Cambridge Analytica accessing up to 87 million Facebook profiles for serving targeted ads for Donald Trump surfaced in the United States. The company had then suspended several thousand apps after running an investigation into the ecosystem.

On the latest suspected breach, CNBC quoted a Facebook spokesperson to suggest that the company was made aware of the two bad actors – One Audience and Mobiburn – who paid developers to use malicious SDKs in a number of apps available on popular app stores. “After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against the two companies.”

Interestingly, Mobiburn chose to refute the statement from Facebook and said it wasn’t in the habit of collecting, sharing or monetizing data from Facebook. “Mobiburn only facilitates the process by introducing mobile application developers to the data monetization companies. This notwithstanding, Mobiburn stopped all its activities until our investigation on third parties is finalized,” it said.

While it may take a few days to figure out how many users were compromised in the process, the latest attempt to hack into data suggests that this is something that the digital world has to live with. And the pace at hackers find loopholes would always be faster than what it takes the good cops to plug them.


TAGS: Facebook, Twitter, Cybercrime, Hacking, Data Leak