Infosecurity Group Websites

Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more
Latest
News

Facebook Sues Analytics Firm Over “Malicious” SDK

Facebook has filed a lawsuit in California against a data analytics company it claims has illegally accessed user data.

New Jersey-based OneAnalytics allegedly paid app developers to install a malicious software development kit (SDK) in their apps. This was designed to harvest information including name, gender, email and username of users logging in to the apps with their Facebook credentials, the social network claimed.

“Security researchers first flagged OneAudience’s behavior to us as part of our data abuse bounty program. Facebook, and other affected companies, then took enforcement measures against OneAudience,” wrote the firm’s director of platform enforcement and litigation, Jessica Romera.

“Facebook’s measures included disabling apps, sending the company a cease and desist letter, and requesting their participation in an audit, as required by our policies. OneAudience declined to cooperate.”

The firm is said to have done the same to Twitter and Google users. Twitter claimed in a notice that the issue was down to “a lack of isolation between SDKs within an application.

“Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK,” it explained.

“While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so.”

In a statement back in November, OneAudience said that it was shutting down the offending SDK.

“Recently, we were advised that personal information from hundreds of mobile IDs may have been passed to our OneAudience platform. This data was never intended to be collected, never added to our database and never used,” it said.

“We proactively updated our SDK to make sure that this information could not be collected on November 13 2019. We then pushed the new version of the SDK to our developer partners and required that they update to this new version.”

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

Sports Giant Decathlon Leaks 123 Million Records

2
News

Facial Recognition Biz Clearview AI Suffers Data Breach

3
News

Ransomware Attack at US Power Station

4
News

Indian Arrested Over Sale of Illegal Drugs Disguised as Sex Aids on Dark Web

5
Magazine Feature

The Top Ten Worst Vulnerabilities

6
News

Google Pulls 600 Apps from Play Store

1
Interview

#RSAC Video Interview: Katie Moussouris, CEO, Luta Security

2
News

Shark Tank Star Corcoran Loses $400K in Email Scam

3
Opinion

How the Cloud Complicates the Digital Crime Scene

4
News

Facebook Sues Analytics Firm Over “Malicious” SDK

5
News

#RSAC: Election Security Beyond the Ballot Box

6
News

#RSAC: How to Hack Society

1
Webinar

Automation in Data File Transfer: Improving Security and Saving You Time

2
Webinar

AI in Security: Keeping Up with the Trend

3
Webinar

Make Your Own Security Superstars: Scale and Upskill Your Security Team

4
Webinar

Leveraging ISO 27001 to Manage Cyber & Information Security Risks

5
Webinar

Gain Control and Security of Your File Collaboration

6
Webinar

Zero Trust: A Cybersecurity Essential and the Key to Success

1
Interview

Interview: Gavin Henderson, Vice-President, Regional Security, Mastercard

2
Blog

PCI Compliance: Not a Password Security Guarantee

3
Opinion

Is Anyone Paying Attention to Healthcare Security?

4
Opinion

#HowTo Do DevOps Effectively

5
Opinion

Why Leaky Clouds Lead to Data Breaches

6
Slackspace

Man Charged After Sharing Cryptocurrency Knowhow