Stories
Slash Boxes
Comments

SoylentNews is people

Facebook And Twitter Profiles Silently Slurped By Shady Code

posted by Fnord666 on Wednesday November 27 2019, @10:07AM   Printer-friendly
from the stop-me-if-you've-heard-this-one dept.

Arthur T Knackerbracket has found the following story:

Twitter and Facebook on Monday claimed some third-party apps quietly collected swathes of personal information from people's accounts without permission.

The antisocial networks blamed the data slurp on what they termed a pair of "malicious" software development kits (SDKs) used by the third-party iOS and Android apps to display ads. Once a user was logged into either service using one of these applications, the embedded SDK could silently access that user's profile and covertly collect information, it is claimed.

[...] [Facebook said] "Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores," a Facebook spokesperson told The Register.

"After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts."

Spokespeople for oneAudience declined to comment. Meanwhile, MobiBurn has issued a public statement on the matter.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Facebook And Twitter Profiles Silently Slurped By Shady Code | Log In/Create an Account | Top | 15 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Interesting) by FatPhil on Wednesday November 27 2019, @09:32PM (2 children)

    by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Wednesday November 27 2019, @09:32PM (#925462) Homepage
    It's accessing their API. It's asking for the user's data, and facebook/twitter are giving it that data. This is the old "he hacked our site because he made a HTTP request that we responded to by serving the content he asked for" bullshit. Either the API is braindead and has no intention to keep user data private, or their handling of API calls is braindead because it does no authorisation checks. Either way, it's twitter/facebook that is 100% to blame for this leak.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 2) by darkfeline on Thursday November 28 2019, @09:19AM (1 child)

    by darkfeline (1030) on Thursday November 28 2019, @09:19AM (#925600) Homepage

    Are you saying that Facebook et al should not be letting users access their own data via an API? If hypothetically I used Facebook, I would like to access my data via an API, including giving applications of my choosing access to that data.

    Clearly Facebook should have done the responsible thing and only sold data to other companies via proprietary APIs, instead of letting the user shoot themselves in the face.

    To use an analogy, this is like your landlord holding onto the keys for you. If you want to enter your apartment, you have to call your landlord to let you in. God forbid the landlord give you the key only for you to lose it and get burgled. That would 100% be the landlord's fault for being so irresponsible as giving you the keys, and completely not your fault for being an idiot and losing the keys.

    --
    Join the SDF Public Access UNIX System today!

    • (Score: 2) by FatPhil on Thursday November 28 2019, @03:15PM

      by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Thursday November 28 2019, @03:15PM (#925643) Homepage
      No, I'm saying that at all. I'm saying that there should be finer grained access rights, that's all, it shouldn't be all or nothing. And those rights should be primarily at the behest of the user. I'm not saying it's a good example, as it's implemented terribly, but it's at least an example of restricting visibility of various data - look at the permissions that android apps request.
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves