Yesterday, both Facebook and Twitter revealed that the data of “hundreds of users” might have been improperly accessed after their accounts were used for logging into Google Play Store apps on Android devices. There is no news on whether iOS users were also affected or not. This issue was first reported by CNBC.
Incidentally, both Facebook and Twitter were notified of this vulnerability by third-party security researchers. They discovered that a development kit named One Audience gave outsiders (mostly developers) access to personal information like usernames and email addresses. Now, if someone used their Twitter account to log in to these apps, not only their username and email address but also their most recent tweets are accessible. It is also reported that Giant Square and Photofy users are also open to this security threat.
A Facebook spokesperson said to The Verge: “After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email, and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts.”
On the other hand, Facebook itself stated any data shared with the app could have been leaked but however, the leaked information “depends on the app and the permissions users allowed.”
In a blog post, Twitter said that the “issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs [software development kits] within an application.” They also said that they will notify users on case to case basis who might have been impacted.
Twitter further commented that they have reached out to Google and Apple “so they can take further action if needed.”