Facebook Sues Analytics Firm Over “Malicious” SDK

Facebook has filed a lawsuit in California against a data analytics company it claims has illegally accessed user data.

New Jersey-based OneAnalytics allegedly paid app developers to install a malicious software development kit (SDK) in their apps. This was designed to harvest information including name, gender, email and username of users logging in to the apps with their Facebook credentials, the social network claimed.

“Security researchers first flagged OneAudience’s behavior to us as part of our data abuse bounty program. Facebook, and other affected companies, then took enforcement measures against OneAudience,” wrote the firm’s director of platform enforcement and litigation, Jessica Romera.

“Facebook’s measures included disabling apps, sending the company a cease and desist letter, and requesting their participation in an audit, as required by our policies. OneAudience declined to cooperate.”

The firm is said to have done the same to Twitter and Google users. Twitter claimed in a notice that the issue was down to “a lack of isolation between SDKs within an application.

“Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK,” it explained.

“While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so.”

In a statement back in November, OneAudience said that it was shutting down the offending SDK.

“Recently, we were advised that personal information from hundreds of mobile IDs may have been passed to our OneAudience platform. This data was never intended to be collected, never added to our database and never used,” it said.

“We proactively updated our SDK to make sure that this information could not be collected on November 13 2019. We then pushed the new version of the SDK to our developer partners and required that they update to this new version.”

What’s Hot on Infosecurity Magazine?