Twitter warned its users that a software development kit (SDK) developed by oneAudience could have allowed that company to obtain account information.
Facebook also posted a notice concerning not only the oneAudience SDK, but also for fellow SDK maker Mobiburn.
OneAudience confirmed the problem and then shut down the SDK along with its associated websites but said the data was never intended to be collected, never added to its database and never used.
“Recently, we were advised that personal information from hundreds of mobile IDs may have been passed to our oneAudience platform. This data was never intended to be collected, never added to our database and never used,” oneAudience said in a statement.
OneAudience’s stated goal was to “help developers earn new revenue by enhancing app user information into the audience insights advertisers crave.”
In a statement Twitter, which described the SDK as “malicious”, said the issue was not within its software, but resulted from a lack of isolation between SDKs within an application. The SDK itself is normally embedded within a mobile application where it could potentially exploit a vulnerability to allow information including, email, username and last Tweet to be accessed. There is even the possibility for an account to be taken over via the flaw.
OneAudience said the SDK was updated on November 13, 2019 to stop it from collecting information and pushed to its partners.
Facebook took on both developers saying oneAudience and Mobiburn were paying developers to place malicious SDKs in apps.
“After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn,” Facebook said.
Twitter determined that the oneAudience SDK only impacted Android devices to access Twitter.
Facebook and Twitter are notifying those whose data was affected and Twitter has informed Apple, Google and other industry partners. about the SDK