If you’ve used your Twitter or Facebook account to log in to another app on your phone, some of your personal information could have been accessed by shady developers. Twitter published a notice on its website that says that some third-party developers may have used a software development kit called oneAudience to obtain your email, username and last tweet and shared it with the company that created the tool. Facebook says it too had fallen victim to the oneAudience scam and plans to issue a similar notice to its users later today.
As reported by CNBC today, “hundreds” of Facebook and Twitter users may have had their personal data “improperly accessed” due to a malicious Android SDK embedded in certain apps, including Giant Square and Photofy.
When users sign in to these apps using Twitter or Facebook, the SDK in question is capable of exploiting a vulnerability in the “mobile ecosystem” to allow certain details including emails, usernames, and Tweets to be swiped by bad actors. In a public disclosure post, Twitter says that while it has “no evidence” to suggest any accounts were actually taken over due to exposed information, it’s “possible” that an individual could do so if they wished.
Facebook users were impacted in largely the same way. The same malicious SDK was used to access similar data, including names, emails, and gender identity information. Nothing too damning in the grand scheme of things, but email addresses, in particular, are likely something many people would prefer to keep as private as possible.
Both Facebook and Twitter have made it clear that their own systems have not been breached; at least, to their knowledge. Twitter says this matter did not come about due to any vulnerability in its own app software. Instead, the social media giant claims the vulnerability was made possible due to the “lack of isolation between SDKs” in an app.
If you want to protect yourself from this problem, be sure to visit your third-party app authorizations menu in your Facebook or Twitter account’s settings. If you see any apps you don’t recognize or don’t need, you can revoke their access, which should keep your details secure.
While this doesn’t seem to be as large as last year’s Cambridge Analytica data abuse, the potential exposure of people’s data could be yet another factor that erodes faith people have in Facebook’s ability to keep their personal information secure. More than that, though, it’s a reminder not to blindly use Facebook or Twitter logins for third-party apps and services unless you know exactly what they’re doing with that information.