Facebook and Twitter warn of malicious SDK harvesting personal data from its accounts

Pierluigi Paganini November 26, 2019

Some third-party apps quietly scraped personal information from people’s accounts from Twitter and Facebook, the social media companies claim.

Facebook and Twitter revealed that some third-party apps quietly scraped personal information from people’s accounts without their consent.

According to the company, the cause of behavior that violates their policies is a couple of “malicious” software development kits (SDKs) used by the third-party iOS and Android apps.

The SDK was designed to display ads, experts noticed that once users of the social networks were logged into either service using one of these applications, the SDK silently accessed their profiles to collect information.

The apps that includes the SDK code are able to collect user names, email addresses, and Tweets via unspecified Android apps.

The malicious SDK was developed by the marketing firm OneAudience and Twitter already informed its customers of the unauthorized activity.

“We recently received a report about a malicious mobile software development kit (SDK) maintained by oneAudience.” reads the advisory published by Twitter. ” This issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application. Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK.”

Even if Twitter experts have no evidence to suggest that this was used to take control of a Twitter account, they don’t exclude that it is possible that an attacker could use the SDK to do it. 

Twitter is aware that the malicious SDK was used to access personal data for at least some Twitter account using Android devices, while it has no evidence that the iOS version of this malicious SDK was used in the same way.

Twitter reported the incident to both Google and Apple, and other industry partners, and is calling for action to block the malicious SDK and apps that include its code.

Facebook announced that it has identified at least other two SDKs developed with a similar purpose activity, one of them was maintained by oneAudience and the second one from the marketing company MobiBurn.

The malicious SDKs were allegedly harvesting profile information, including names, genders, and email addresses.

“Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores,” a Facebook spokesperson told The Register.

“After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts.”

While oneAudience did not comment on the incident, MobiBurn published a statement denying that it is harvesting Facebook data and announced an investigation on third-party apps using its SDK.

“No data from Facebook is collected, shared or monetised by MobiBurn,” reads the statement.MobiBurn primarily acts as an intermediary in the data business with its bundle, i.e., a collection of SDKs developed by third-party data monetisation companies. MobiBurn has no access to any data collected by mobile application developers nor does MobiBurn process or store such data. MobiBurn only facilitates the process by introducing mobile application developers to the data monetisation companies. This notwithstanding, MobiBurn stopped all its activities until our investigation on third parties is finalised.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Twitter, data harversting)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment