Malicious SDKs Used to Access Personal Data of Twitter, Facebook Users

Security researchers notified the two social networks, which, in turn, alerted Google and Apple

Malicious SDKs were traced to mobile intelligence platform oneAudience and app monetization provider MobiBurn wildpixel/iStock
Headshot of David Cohen

Malicious third-party software-development kits may have been used to access user data from some users on Twitter and Facebook.

Security researchers notified the two social networks about the potential vulnerability, and Twitter and Facebook, in turn, alerted Google and Apple so that they could take steps to secure their respective application stores.

Kate Rooney and Salvador Rodriguez of CNBC reported that people who used their credentials from the social networks to login to and access third-party apps including Giant Square and Photofy may have been impacted, and that the malicious SDKs were traced to mobile intelligence platform oneAudience and app monetization provider MobiBurn.

Twitter only cited oneAudience in a Help Center post alerting users about the issue, saying, “This issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an app. Our security team has determined that the malicious SDK, which could be embedded within a mobile app, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last tweet) to be accessed and taken using the malicious SDK. While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so.”

The social network said it has evidence that the SDK was used to access personal data from some Android Twitter users, but not for iOS, adding that it intends to directly notify anyone who may have been impacted.

And a spokesperson for Facebook shared the following statement: “Security researchers recently notified us about two bad actors, oneAudience and MobiBurn, who were paying developers to use malicious SDKs in a number of apps available in popular app stores. After investigating, we removed the apps from our platform for violating our platform policies and issued cease-and-desist letters against oneAudience and MobiBurn We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts.” David Cohen is editor of Adweek's Social Pro Daily.