Malicious third-party apps leak personal data from Facebook, Twitter

Cyber security watchdog Cert-In issued an advisory, without disclosing the impact on Indian subscribers, on malicious apps leaking data of Facebook and Twitter users.

Malicious applications have leaked personal data of Facebook and Twitter users to third-parties, according to an advisory issued by cybersecurity watchdog Cert-In without disclosing the impact on Indian subscribers.

India is one of the largest markets for Facebook and Twitter.

The apps violated Facebook's platform policy by installing software in their apps by sending information to two companies – OneAudience and MobiBurn, the advisory said.

Twitter shared that a software development kit (SDK) developed by OneAudience contains a privacy-violating component, which may have passed some of its users' personal information such as one's email id, username, and tweet(s) to OneAudience servers, it added.

"It has been reported that personal data of Facebook and Twitter users were improperly accessed by a pair of malicious SDKs used in certain third-party apps," Cert-in said in the advisory note on November 27.

When contacted, Facebook said that security researchers recently notified the company about two bad actors – One Audience and MobiBurn – who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores.

"After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and MobiBurn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender," a Facebook spokesperson said.

Twitter said the breach has not happened due to a vulnerability in Twitter's software, but rather the "lack of isolation between SDKs within an application".

"We have evidence that this SDK was used to access people's personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS," Twitter said in a blogpost.

It further said that the microblogging platform has also informed Google and Apple about the malicious SDK so they can take further action if needed.

"We have also informed other industry partners about this issue," Twitter said.

(Edited by Saheli Sen Gupta)