Facebook says 100 app developers could have improperly accessed user data for months
Dozens of third-party apps may have had access to certain Facebook user data for months after the company moved to place limits on that information, the social media giant said on Tuesday. © Justin Sullivan/Getty Images SAN JOSE, CALIFORNIA - APRIL 30: The Facebook logo is displayed during the F8 Facebook Developers conference on April 30, 2019 in San Jose, California. Facebook CEO Mark Zuckerberg delivered the opening keynote to the FB Developer conference that runs through May 1.
On Monday, Facebook and Twitter announced that the data of “hundreds of users” may have been improperly accessed after their accounts were used for logging into Google Play Store apps on Android devices. The issue was. So far, there is no indication that iOS users were affected.
The companies were notified of the vulnerability by third-party security researchers, Twitter said in a blog post disclosing the issue. The researchers discovered that a development kit named One Audience gave outside developers access to personal information, including usernames and email addresses. If someone used their Twitter account to log in to these apps, their most recent tweets were also accessible. CNBC said that users of photo editing apps like Giant Square and Photofy could be affected.
Facebook says 100 software developers may have improperly accessed user data
Some developers retained access that was supposed to have been terminated last year.Facebook said it discovered that many developers still had access to data about users in groups, despite changes the company made in April 2018 to cut off this access, Facebook said in a blog post. Facebook said it knew of at least 11 developer partners that had accessed the data in the past 60 days and has contacted about 100 developers who may have had access to the data.
When reached for comment by The Verge, a Facebook spokesperson gave the following statement:
After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts.
Reached for clarification on the specific data revealed, Facebook said any data shared with the app could have been leaked, but the specific information “depends on the app and the permissions users allowed.”
, Twitter said that the “issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs [software development kits] within an application.” The company will notify users of Twitter for Android who may have been impacted.
Twitter said that it has notified Google and Apple of the vulnerability “so they can take further action if needed.” Google and Apple did not immediately respond to a request for comment.
Facebook will now send you notifications for third-party logins .
It's pretty easy to forget where you use your Facebook credentials to log in, especially since using it is as easy as clicking a single button. The notification, which you'll get via email and the Facebook app, shows you what kind of details Facebook shared with the third-party application or website. If sharing your email address and photo with a random app you logged into doesn't sit well with you, you can click on the Edit Settings button in the email to remove the app's permission to access your details.