from the stop-me-if-you've-heard-this-one dept.
Arthur T Knackerbracket has found the following story:
Twitter and Facebook on Monday claimed some third-party apps quietly collected swathes of personal information from people's accounts without permission.
The antisocial networks blamed the data slurp on what they termed a pair of "malicious" software development kits (SDKs) used by the third-party iOS and Android apps to display ads. Once a user was logged into either service using one of these applications, the embedded SDK could silently access that user's profile and covertly collect information, it is claimed.
[...] [Facebook said] "Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores," a Facebook spokesperson told The Register.
"After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts."
Spokespeople for oneAudience declined to comment. Meanwhile, MobiBurn has issued a public statement on the matter.
(Score: 4, Insightful) by Runaway1956 on Wednesday November 27 2019, @10:49AM (7 children)
If these social media providers permit this sort of code to run, they should be liable for it. A provider that has the power to ban people for their political and other opinions, also has the power to decide what code can run on their sites.
These assholes want the best of all possible worlds, in which they can dictate what they want to dictate, but aren't liable for anything at all.
How 'bout some civil suits, to make twitter and facebook PAY FOR all that data that is slurped up?
Abortion is the number one killed of children in the United States.
(Score: 2, Insightful) by Anonymous Coward on Wednesday November 27 2019, @11:18AM (4 children)
The problem is that from what I understand, the code is not running "on their site" directly, but on an end user's device in a 3rd party app as part of the malicous SDK, so outside any visible context to the targetted sites. I would not expect, nor want, the targetted sites to have sufficient device access to audit the code to that level. (That level of audit access would also break my own scripts masquerading as a web browser to slurp data, since such masquerading becomes more easily detectable. *shifty-eyes* )
But more seriously...
This is more user education, user's should stop giving 3rd parties access to each other's data without understanding the consequences. But I doubt that can be fixed. Reminds me of LinkedIn asking for people's email passwords, so LinkedIn can access people's email "to build the contact list" - but people are still silly and trust LinkedIn with access to their emails without understanding what power they've just handed over to LinkedIn.
Though this particular issue is slightly different in that, with the malicous SDK, there is one additional 3rd party which to the end user unintentionally gains access to the information which they only explicitly consented for one particular app.
(Score: 0) by Anonymous Coward on Wednesday November 27 2019, @12:29PM
Ah!, a malicious SDK, as opposed to one which is kosher and blessed...
What amuses me here is that FB and Twatter are quite happy to allow momsers to build apps using 'blessed' SDKs which try and 'exchange pleasantries' with various servers run by them, even when the users of these apps have no accounts with either of them, especially FB. All I can say is thank fsck for firewalls on android, I'm particularly getting increasingly narked off by the number of kosher apps I've run for a while whose recent updates are now trying to talk to FB servers on the fly (try resolve IPv4 address for weird server with a FB address...if no joy...try resolve IPv6 address for same server..if no joy...try hardwired IP..bastards...).
(Score: 3, Interesting) by FatPhil on Wednesday November 27 2019, @09:32PM (2 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by darkfeline on Thursday November 28 2019, @09:19AM (1 child)
Are you saying that Facebook et al should not be letting users access their own data via an API? If hypothetically I used Facebook, I would like to access my data via an API, including giving applications of my choosing access to that data.
Clearly Facebook should have done the responsible thing and only sold data to other companies via proprietary APIs, instead of letting the user shoot themselves in the face.
To use an analogy, this is like your landlord holding onto the keys for you. If you want to enter your apartment, you have to call your landlord to let you in. God forbid the landlord give you the key only for you to lose it and get burgled. That would 100% be the landlord's fault for being so irresponsible as giving you the keys, and completely not your fault for being an idiot and losing the keys.
Join the SDF Public Access UNIX System today!
(Score: 2) by FatPhil on Thursday November 28 2019, @03:15PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Interesting) by darkfeline on Thursday November 28 2019, @09:22AM (1 child)
If users permit code to access their own data, the user should be liable for it.
These assholes want the best of all possible worlds, in which they can explicitly authorize arbitrary untrusted third parties to access their data freely and not have their data abused.
Join the SDF Public Access UNIX System today!
(Score: 2) by Runaway1956 on Thursday November 28 2019, @05:33PM
There was a day when I did not understand that the silly games and apps on social media were scarfing data. Unless you are born of a virgin, and your initials are J.C, you probably didn't understand it either. Like most people, we only began to understand that when we had our noses rubbed in it, by one means or another.
When you install a game or app on Facebook, there is no banner headline telling you that "The creator of this stupid app will be able to access everything you do on our platform! Kiss any idea of privacy goodbye!"
And, there needs to be such a warning. Not for you, not for me, probably not for anyone who frequents SN. It's the billions of bubbleheaded people who believe they are getting something for free who need that warning.
As mentioned above, we were all conditioned to click through all that crap, even before FB came along.
Abortion is the number one killed of children in the United States.
(Score: 2) by Gaaark on Wednesday November 27 2019, @12:02PM
But I do use Rapper....I got hit by Slim Shady code.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by Arik on Wednesday November 27 2019, @12:18PM
So obviously they're part of the problem.
Facebook and twitter are cancer. Block them at the router.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by takyon on Wednesday November 27 2019, @01:52PM
The code didn't do anything wrong. It just slurped at a shady data watering hole.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by Thexalon on Wednesday November 27 2019, @01:58PM
There ain't no such thing as privacy on social media. Period. I don't care what your settings are, the megacorp that created the platform has your data and can and will use it to sell targeted ads, which means whichever ad company they sell to will be able to figure out what your data is more-or-less about.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Interesting) by jmichaelhudsondotnet on Wednesday November 27 2019, @03:00PM (2 children)
What if I told you facebook was a bad actor?
Talk about snuck premises ffs, this is like saying someone is a murderer because he caught another murderer for us.
When really it is a murderer pointing to a detective who caught another murderer, hoping by simply helping with the effort they will be perceived less as a murderer.
And laptog sycophants line up to clap like seals because they are rich.
But if you have unlimited money, how the zuck is anyone so incompetent that they rely on someone else to find even the most basic security flaws in their ecosystem while they travel to the whitehouse and help fascists steal elections in the interest of foreign countries and basically every cult and mafia in the world?
How naive are you chumps really? Oh and they want you to send an identified photo so they can know not to track you, lol, how did I end up surrounded by people who believe everything their told?
Remember, my stance has been, since before it was cool, that zuckerberg gets prison for life and he can share a cell next to the squatting president or the united states goes down in history as a bunch of idiots, led by their sellout police and cylon-tech-reliant military into shameful oblivion.
Rewatch Bullworth, some gems in there that are as fresh today as they were way back.
The Public was also good, in case anyone needs remembering what the real world and real united states is actually like while the ascendant overlords rearrange their deck chairs and fill their databases with our toothpaste selections.
And here a meme to explain further why my viewpoint, in defense of the united states and basic liberal values, and for enforcement of existing law against people even if they are wealthy, is called crazy and nazi:
https://archive.is/nD4UY [archive.is]
(Score: 4, Funny) by OrugTor on Wednesday November 27 2019, @04:49PM (1 child)
I don't agree with everything you say but I admire the way you say it. Ranting done right.
(Score: 2) by jmichaelhudsondotnet on Thursday November 28 2019, @05:18PM
Thank you, here, my latest meme you inspired:
https://coinsh.red/ipfs/Qme9ZjJJwheTyVGfs8ScYjG4JoEZ2vBDukhcF4kAQcBJJ7 [coinsh.red] (archive.is is offline at the moment lmk if you can't get this)
'ranting done right' might be the nicest thing a stranger has ever said to me lol
You might like my website but I don't want to twist any arms.