Another day, and another new data breach on two of the biggest social networks. This time around, the main problem is due to two bad actors, and not the platforms themselves. Facebook and Twitter announced on Monday that the companies were notified about malicious software development kits (SDKs) that allowed certain apps to collect users’ data from the apps without their permission.
The main culprits here are One Audience and Mobiburn, developers of the malicious SDKs that apparently paid developers to use the SDKs and secretly collect users data. Twitter noted that the issue isn’t due to a vulnerability in its software. The breach was caused by “the lack of isolation between SDKs within an application”, according to the company.
The company also said that the malicious SDKs could allow apps to access personal information like your email, username, and your last tweet without your permission. “We have evidence that this SDK was used to access people’s personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS,” the company said.
Both Facebook and Twitter have confirmed they will reach out to the affected users, notifying them about the breach, says CNBC. The companies have also notified Google and Apple to take further action against apps using malicious SDKs. Facebook and Twitter already removed apps using the SDKs from their platforms.
It’s not clear exactly how the SDKs were able to get such personal information, though it seems like a platform-level issue. Twitter and Facebook, unfortunately, haven’t revealed the technical details behind the problem.