Naked Security Naked Security

Facebook, Twitter profiles slurped by mobile apps using malicious SDKs

Hundreds of users gave permission to these third-party apps to access their social media accounts, but the apps got more handsy than that.

On Monday, Twitter and Facebook both claimed that bad apples in the app stores had been slurping hundreds of users’ profile data without permission.

After getting tipped off by security researchers, the platforms blamed a “malicious” pair of software development kits (SDKs) – from marketing outfits One Audience and MobiBurn – used by the third-party iOS and Android apps to display ads. Neither Twitter nor Facebook have named names of the data-sucking apps, nor how many bad apps they’ve found.

Twitter said that this wasn’t enabled by any bug on its platform. Rather, after getting a heads-up from security researchers, its own security team found that the malicious SDK from One Audience could potentially slip into the “mobile ecosystem” to exploit a vulnerability.

That vulnerability – which is to do with a lack of isolation between SDKs within an app –  could enable the malicious SDK to slurp personal information, including email, username, and last tweet. Twitter hasn’t found any evidence that any accounts got hijacked due to the malicious SDKs, mind you, but that’s what the vulnerability could have led to.

While Twitter hasn’t found any account takeovers, it’s found evidence of slurping. The unauthorized data grab was just done to Android user profiles, via unspecified Android apps:

We have evidence that this SDK was used to access people’s personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS.

Facebook, however, said in a statement that it was suffering at the hands of both those bad SDKs, both of which it’s told to cease and desist:

Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores. After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn.

Facebook plans to notify the people whose personal data – including name, email and gender – was likely swiped after they gave permission for apps to access their profile information. Twitter says it’s informed Google and Apple about the malicious SDK, so they can take further action if needed, as well as other industry partners.

Facebook’s cautionary words regarding grabby apps:

We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts.

Well, Facebook should know about grabby apps. Post-Cambridge Analytica data-slurping-pocalypse, as of September 2019, its roster of apps castigated over getting handsy with users’ data (or simply not bothering to respond to Facebook’s audit) was in the tens of thousands.

OneAudience has declined to respond to media questions.

On Monday, MobiBurn posted a statement saying hey, we’re not abusive data suckers. We’re just a matchmaker who hooks you up to app developers who may be data suckers:

No data from Facebook is collected, shared or monetised by MobiBurn.

MobiBurn primarily acts as an intermediary in the data business with its bundle, i.e., a collection of SDKs developed by third-party data monetisation companies. MobiBurn has no access to any data collected by mobile application developers nor does MobiBurn process or store such data. MobiBurn only facilitates the process by introducing mobile application developers to the data monetisation companies.

Notwithstanding, the company says it’s suspended activities while it investigates those third-party app developers.

Leave a Reply

Your email address will not be published. Required fields are marked *