SoylentNews is people
SoylentNews
from the stop-me-if-you've-heard-this-one dept.
Arthur T Knackerbracket has found the following story:
Twitter and Facebook on Monday claimed some third-party apps quietly collected swathes of personal information from people's accounts without permission.
The antisocial networks blamed the data slurp on what they termed a pair of "malicious" software development kits (SDKs) used by the third-party iOS and Android apps to display ads. Once a user was logged into either service using one of these applications, the embedded SDK could silently access that user's profile and covertly collect information, it is claimed.
[...] [Facebook said] "Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores," a Facebook spokesperson told The Register.
"After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts."
Spokespeople for oneAudience declined to comment. Meanwhile, MobiBurn has issued a public statement on the matter.
(Score: 4, Insightful) by Runaway1956 on Wednesday November 27 2019, @10:49AM (7 children)
If these social media providers permit this sort of code to run, they should be liable for it. A provider that has the power to ban people for their political and other opinions, also has the power to decide what code can run on their sites.
These assholes want the best of all possible worlds, in which they can dictate what they want to dictate, but aren't liable for anything at all.
How 'bout some civil suits, to make twitter and facebook PAY FOR all that data that is slurped up?
(Score: 2, Insightful) by Anonymous Coward on Wednesday November 27 2019, @11:18AM (4 children)
The problem is that from what I understand, the code is not running "on their site" directly, but on an end user's device in a 3rd party app as part of the malicous SDK, so outside any visible context to the targetted sites. I would not expect, nor want, the targetted sites to have sufficient device access to audit the code to that level. (That level of audit access would also break my own scripts masquerading as a web browser to slurp data, since such masquerading becomes more easily detectable. *shifty-eyes* )
But more seriously...
This is more user education, user's should stop giving 3rd parties access to each other's data without understanding the consequences. But I doubt that can be fixed. Reminds me of LinkedIn asking for people's email passwords, so LinkedIn can access people's email "to build the contact list" - but people are still silly and trust LinkedIn with access to their emails without understanding what power they've just handed over to LinkedIn.
Though this particular issue is slightly different in that, with the malicous SDK, there is one additional 3rd party which to the end user unintentionally gains access to the information which they only explicitly consented for one particular app.
(Score: 0) by Anonymous Coward on Wednesday November 27 2019, @12:29PM
Ah!, a malicious SDK, as opposed to one which is kosher and blessed...
What amuses me here is that FB and Twatter are quite happy to allow momsers to build apps using 'blessed' SDKs which try and 'exchange pleasantries' with various servers run by them, even when the users of these apps have no accounts with either of them, especially FB. All I can say is thank fsck for firewalls on android, I'm particularly getting increasingly narked off by the number of kosher apps I've run for a while whose recent updates are now trying to talk to FB servers on the fly (try resolve IPv4 address for weird server with a FB address...if no joy...try resolve IPv6 address for same server..if no joy...try hardwired IP..bastards...).
(Score: 3, Interesting) by FatPhil on Wednesday November 27 2019, @09:32PM (2 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by darkfeline on Thursday November 28 2019, @09:19AM (1 child)
Are you saying that Facebook et al should not be letting users access their own data via an API? If hypothetically I used Facebook, I would like to access my data via an API, including giving applications of my choosing access to that data.
Clearly Facebook should have done the responsible thing and only sold data to other companies via proprietary APIs, instead of letting the user shoot themselves in the face.
To use an analogy, this is like your landlord holding onto the keys for you. If you want to enter your apartment, you have to call your landlord to let you in. God forbid the landlord give you the key only for you to lose it and get burgled. That would 100% be the landlord's fault for being so irresponsible as giving you the keys, and completely not your fault for being an idiot and losing the keys.
Join the SDF Public Access UNIX System today!
(Score: 2) by FatPhil on Thursday November 28 2019, @03:15PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Interesting) by darkfeline on Thursday November 28 2019, @09:22AM (1 child)
If users permit code to access their own data, the user should be liable for it.
These assholes want the best of all possible worlds, in which they can explicitly authorize arbitrary untrusted third parties to access their data freely and not have their data abused.
Join the SDF Public Access UNIX System today!
(Score: 2) by Runaway1956 on Thursday November 28 2019, @05:33PM
There was a day when I did not understand that the silly games and apps on social media were scarfing data. Unless you are born of a virgin, and your initials are J.C, you probably didn't understand it either. Like most people, we only began to understand that when we had our noses rubbed in it, by one means or another.
When you install a game or app on Facebook, there is no banner headline telling you that "The creator of this stupid app will be able to access everything you do on our platform! Kiss any idea of privacy goodbye!"
And, there needs to be such a warning. Not for you, not for me, probably not for anyone who frequents SN. It's the billions of bubbleheaded people who believe they are getting something for free who need that warning.
As mentioned above, we were all conditioned to click through all that crap, even before FB came along.