Malicious developers have successfully created applications that can retrieve users’ personal data from Twitter and Facebook. Identified, the two programs reached more than nine million Facebook subscribers.
Facebook and Twitter social media users may have been the victim of information theft if they installed an application from a third-party application store , that is, other than the Play Store for Android or the App Store for iOS . Twitter first warned its users via an advertisement on its site, implicating a malicious software development kit (SDK), oneAudience.
When a user identifies himself in certain applications, due to a lack of separation between SDKs within problematic applications, oneAudience was able to retrieve the email address, user name and last tweet. The site said the problem was affecting Android users and found no evidence in the iOS version of the offending apps. Twitter plans to directly notify affected users, and stated that ” however, if you believe you have downloaded a malicious application from a third-party application store, we recommend that you remove it immediately.”
Facebook affected by two SDKs
A Facebook spokesperson also told Engadget they discovered two problematic SDKs, oneAudience and a second named Mobiburn. He said in particular that the problem affected 9.5 million users of the social network who will soon be notified that their data may have been compromised.
The two social networks have disabled permissions for the alleged apps and have notified Apple and Google so they can take action if necessary. Targeted by Twitter and Facebook, oneAudience says it has never collected such information and has released an update to its SDK, while Mobiburn, in a similar statement, says it has stopped all activity during a third party investigation.