Another day, another breach involving Facebook, Twitter, and third-party developers.
On Monday, both Facebook and Twitter announced that the data of hundreds of users had been compromised due to a software development kit (SDK) named “One Audience” giving third-party developers access to certain data.
The data includes email addresses, usernames and recent tweets of anyone who accessed certain apps including Giant Square and Photofy from their Twitter accounts. While Twitter has confirmed that the SDK was used for accessing the data of Twitter users on Android, they claim that no evidence has been seen for the same occurring on iOS.
Twitter also clarified on Twitter’s role in this statement,
This issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application. Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK.
Furthermore, Apple, Google, and certain other related companies have also been informed of the vulnerability so they could take action in line with user safety. If you’re worried whether you may have been affected, rest assured because, in an online disclosure notice, Twitter has revealed that it will inform any Android users they believe that may have been affected.
See: Private data of 540 million Facebook users exposed in plain text
Additionally, Facebook while speaking to The Verge has also notified the public of removing both One Audience and Mobiburn for policy violations while issuing cease and desist letters to them simultaneously. However, they have not confirmed the data that could have been leaked citing “permissions specific to each app” being a factor that would make the data vary from user to user.
Nonetheless, to conclude, the best way to remain safe from such incidents is to be careful about the third-party apps you give authorization to via your accounts. As observed in the past from multiple incidents in the cybersecurity industry, some of them may ask you for permission they never need and hence access your content for unrequired purposes.
Checking authorized apps for an account on Twitter.
See: A bug stored Twitter passwords in plain text so change your password
You can similarly check the apps and websites with access to your account on Facebook as well. Hence, you can make sure that data you’re comfortable with is available to outsiders greatly reducing the risk of identity theft.