This year July, facebook settled for a $5billion worth settlement with US Federal Trade Commission for its privacy failures in Cambridge Analytica case. Recently, they have disclosed a group of developers around 100 had access to additional information of people in groups. Malicious apps have leaked personal data of facebook and twitter users to third party (source – watchdog Cert). “It has been reported that personal data of Facebook and Twitter users were improperly accessed by a pair of malicious SDKs used in certain third-party apps,” Cert-in said in the advisory note on November 27.
Why It Happened ?
Twitter mentioned an SDK (software development kit) which was developed by OneAudience had privacy violating content and may have passed sensitive data of twitter users such as email, username etc.
Facebook mentioned their team reported about ‘One audience’ and ‘Mobiburn’ who were using developers to use malicious SDKs (software development kit) to use in apps available on app store. Post investigation, malicious apps were removed
What Can You Learn ?
The above attack used various loopholes at various stages and we can list a few mitigation steps from it.
- Check App Store Policy Violations Rigorously all policy violations frequent check can to some extent contain and reduce such activites
- Third Party Security measures to make sure any vulnerability doesn’t affect one’s own customers
- PII regulations within the company for careful distribution of PII. Collection of PII only restricted to only when absolutely necessary
- Third Party Risk Assessment Modern tools enable one to understand the threat landscape arising from their vendors
References
https://www.business-standard.com/article/pti-stories/malicious-3rd-party-apps-leak-personal-data-from-facebook-twitter-119112801503_1.html
https://www.zdnet.com/article/facebook-reveals-another-data-breach-this-time-involving-developers/
Facebook data privacy scandal: A cheat sheet
