Facebook and Twitter warn of malicious SDK harvesting personal data from its accounts

November 26, 2019  By Pierluigi Paganini


Some third-party apps quietly scraped personal information from people’s accounts from Twitter and Facebook, the social media companies claim.

Facebook and Twitter revealed that some third-party apps quietly scraped personal information from people’s accounts without their consent.

According to the company, the cause of behavior that violates their policies is a couple of “malicious” software development kits (SDKs) used by the third-party iOS and Android apps.

The SDK was designed to display ads, experts noticed that once users of the social networks were logged into either service using one of these applications, the SDK silently accessed their profiles to collect information.

The apps that includes the SDK code are able to collect user names, email addresses, and Tweets via unspecified Android apps.

The malicious SDK was developed by the marketing firm OneAudience and Twitter already informed its customers of the unauthorized activity.

“We recently received a report about a malicious mobile software development kit (SDK) maintained by oneAudience.” reads the advisory published by Twitter. ” This issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application. Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK.”

Even if Twitter experts have no evidence to suggest that this was used to take control of a Twitter account, they don’t exclude that it is possible that an attacker could use the SDK to do it. 

Twitter is aware that the malicious SDK was used to access personal data for at least some Twitter account using Android devices, while it has no evidence that the iOS version of this malicious SDK was used in the same way.

Twitter reported the incident to both Google and Apple, and other industry partners, and is calling for action to block the malicious SDK and apps that include its code.

Facebook announced that it has identified at least other two SDKs developed with a similar purpose activity, one of them was maintained by oneAudience and the second one from the marketing company MobiBurn.

The malicious SDKs were allegedly harvesting profile information, including names, genders, and email addresses.

“Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores,” a Facebook spokesperson told The Register.

“After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts.”

While oneAudience did not comment on the incident, MobiBurn published a statement denying that it is harvesting Facebook data and announced an investigation on third-party apps using its SDK.

“No data from Facebook is collected, shared or monetised by MobiBurn,” reads the statement.MobiBurn primarily acts as an intermediary in the data business with its bundle, i.e., a collection of SDKs developed by third-party data monetisation companies. MobiBurn has no access to any data collected by mobile application developers nor does MobiBurn process or store such data. MobiBurn only facilitates the process by introducing mobile application developers to the data monetisation companies. This notwithstanding, MobiBurn stopped all its activities until our investigation on third parties is finalised.”

Pierluigi Paganini

(SecurityAffairs – Twitter, data harversting)



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Sponsored Content

  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    securityaffairs

  • PixFuture



More Story

Some Fortinet products used hardcoded keys and weak encryption for communications

 Researchers at SEC Consult Vulnerability Lab discovered multiple issues in several security products from Fortinet, including...