On Monday, Facebook and Twitter announced that the data of “hundreds of users” may have been improperly accessed after their accounts were used for logging into Google Play Store apps on Android devices. The issue was first reported by CNBC. So far, there is no indication that iOS users were affected.
The companies were notified of the vulnerability by third-party security researchers, Twitter said in a blog post disclosing the issue. The researchers discovered that a development kit named One Audience gave outside developers access to personal information, including usernames and email addresses. If someone used their Twitter account to log in to these apps, their most recent tweets were also accessible. CNBC said that users of photo editing apps like Giant Square and Photofy could be affected.
When reached for comment by The Verge, a Facebook spokesperson gave the following statement:
After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts.
Reached for clarification on the specific data revealed, Facebook said any data shared with the app could have been leaked, but the specific information “depends on the app and the permissions users allowed.”
In a blog post published on Monday, Twitter said that the “issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs [software development kits] within an application.” The company will notify users of Twitter for Android who may have been impacted.
Twitter said that it has notified Google and Apple of the vulnerability “so they can take further action if needed.” Google and Apple did not immediately respond to a request for comment.
Correction: An earlier version of this headline implied that Twitter and Facebook had directly exposed user data to developers. In fact, the exposure took place through a third-party SDK outside of either company’s infrastructure. The Verge regrets the error.