All Twitter and Facebook users get alerted as both the social media giants have confirmed that millions of users may have had their personal information compromised by malicious software hidden in third-party apps. This includes names, genders, emails, usernames and potentially people’s last tweets.
On Monday, Twitter announced in a blog post, "We recently received a report about a malicious mobile software development kit (SDK) maintained by oneAudience." The SDK, that is hidden in apps downloaded from the Google Play Store, could "exploit a vulnerability in the mobile ecosystem" to expose users’ personal data to third-party developers.
There are several applications that ask for access to users’ social media linking to Twitter and Facebook accounts to provide features such as in-game leaderboards and the ability to share achievements.
However, doing so in an app using this SDK potentially allowed third-party developers to access much more data than users had agreed to. Twitter wrote, "While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so."
Luckily, there is nothing to suggest that iOS users were impacted. Unfortunately, the vulnerability was exploited to access the data of some Twitter users on Android. Twitter stated that it has already informed Google and Apple about the issue and it will be notifying those who may have been impacted.
There are not many people who can do other than delete unused apps, clean up their app permissions, and hope they weren't affected. The oneAudience SDK, as well as a similar SDK from MobiBurn, also affected Facebook users.
Potentially affected users will also be notified by the company and the number is a whopping 9.5 million. Facebook claimed in a statement to CNBC that since it has removed the offending apps, as well as issued a ceased and desist to both oneAudience and MobiBurn.
On Monday in a statement oneAudience said, "This data was never intended to be collected, never added to our database and never used. MobiBurn also released a statement asserting it had not "collected, shared or monetised" any data from Facebook.