Facebook and Twitter announced that the data of “hundreds of users” may have been improperly accessed after their accounts were used for logging into Google Play Store apps on Android devices.
The companies were notified of the vulnerability by third-party security researchers, Twitter said in a blog post. The researchers discovered that a development kit named One Audience gave outside developers access to personal information, including usernames and email addresses. If someone used their Twitter account to log in to these apps, their most recent tweets were also accessible. A report from CNBC claims that users of photo editing apps like Giant Square and Photofy could be affected.
"After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts," Facebook said.
Facebook added that any data shared with the app could have been leaked, but the specific information “depends on the app and the permissions users allowed.”
Twitter said that the “issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs [software development kits] within an application.” The company will notify users of Twitter for Android who may have been impacted.
Twitter said that it has notified Google and Apple of the vulnerability “so they can take further action if needed.”