Malicious 3rd Party Apps Leak Personal Data From Facebook, Twitter
When contacted Facebook said that security researchers recently notified the company about two bad actors.
Malicious applications have leaked personal data of Facebook and Twitter users to third party, according to an advisory issued by cyber security watchdog Cert-In without disclosing the impact on Indian subscribers.
India is among largest market for Facebook and Twitter.
Twitter shared that a software development kit (SDK) developed by OneAudience contains privacy-violating component which may have passed some of its users' personal information like email, username, tweet to OneAudience servers, it added.
"It has been reported that personal data of Facebook and Twitter users were improperly accessed by a pair of malicious SDKs used in certain third-party apps," Cert-in said in the advisory note on 27 November.
When contacted Facebook said that security researchers recently notified the company about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores.
Twitter said the breach has not happened due to a vulnerability in Twitter's software, but rather the "lack of isolation between SDKs within an application".
"We have evidence that this SDK was used to access people's personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS," Twitter said in a blogpost.
It further said that the microblogging platform has also informed Google and Apple about the malicious SDK so they can take further action if needed.
"We have also informed other industry partners about this issue," Twitter said.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)