If you used your Facebook or Twitter login on Android apps there is a pretty good chance your personal data ended up in the hands of third parties.
OneAudience and Mobiburn are third-party software kits that allow integration of ads into Android apps. Many developers use these SDKs, which have been integrated into tens of thousands of apps so far.
But both were recently found to be offering something more than a handy login button. The SDKs collect personal information.
Twitter was the first to inform its users about the activities of OneAudience. The company explained in a statement that such practices were a hard policy violation, providing developers with private information like user names, email addresses, and tweets of affected accounts.
This is not a vulnerability in aforementioned networks, but an exploit in mobile systems. Users do not have to worry about their accounts but are still advised to review their Twitter settings and the list of authorized apps.
Meanwhile, Facebook already started banning these third-party apps from its ecosystem. The data at risk of being accessed includes profile information (name, gender, contact address). The social media giant will be sending notifications to all affected users.
Facebook explained that apps installed by users and the permissions set would have determined what exactly reached the third-party developer. Facebook has also sent a cease and desist letter to OneAudience and Mobiburn.
OneAudience responded by shutting down the SDK in question, claiming that the data was never supposed to be collected.