Facebook and Twitter user data has been exposed due to a malicious third-party Android...


TS Evangelist
Staff member

As reported by CNBC today, "hundreds" of Facebook and Twitter users may have had their personal data "improperly accessed" due to a malicious Android SDK embedded in certain apps, including Giant Square and Photofy.

When users sign in to these apps using Twitter or Facebook, the SDK in question is capable of exploiting a vulnerability in the "mobile ecosystem" to allow certain details -- including emails, usernames, and Tweets -- to be swiped by bad actors. In a public disclosure post, Twitter says that while it has "no evidence" to suggest any accounts were actually taken over due to exposed information, it's "possible" that an individual could do so if they wished.

Facebook users were impacted in largely the same way. The same malicious SDK was used to access similar data, including names, emails, and gender identity information. Nothing too damning in the grand scheme of things, but email addresses, in particular, are likely something many people would prefer to keep as private as possible (an increasingly tough task in today's day and age).

Both Facebook and Twitter have made it clear that their own systems have not been breached; at least, to their knowledge. Twitter says this matter did not come about due to any vulnerability in its own app software. Instead, the social media giant claims the vulnerability was made possible due to the "lack of isolation between SDKs" in an app.

If you want to protect yourself from this problem, be sure to visit your third-party app authorizations menu in your Facebook or Twitter account's settings. If you see any apps you don't recognize or don't need, you can revoke their access, which should keep your details secure.

It should also be noted that iOS users do not appear to have been affected by any of this. Revoking unnecessary third-party app access is still good security practice, but the "mobile ecosystem vulnerability" seems to be exclusive to Android devices for now. Google (and Apple, for good measure) have already been notified of the dilemma, and we'll update you if it gets fixed.

Permalink to story.



TS Evangelist
I like Twitter's honesty. It may have even put a smile on my face. If I were to play devil's advocate, I would wonder if they did it because the back up plan is to blame Google. Only time will tell.