It's bad enough that the bad guys are getting more sophisticated with their schemes to steal your personal information. Now, it seems that we're at the point where even the apps we download from reputable places like the Google Play Store are being used by those same bad guys. That's based on a report from CNBC that says security researchers highlighted the flaw to both Facebook and Twitter this week.
In fact, according to Engadget, almost 10 million users may have had their Twitter and Facebook accounts compromised by the presence of two software development kits (SDKs) that allowed outside access to your information. In a blog post from Twitter, that company confirmed that user information may have been compromised if you connect your social media accounts to various apps using the SDK.
Here's what that means:
If you use an Android device and have downloaded apps containing one of these SDKs, and connected your social media accounts to any of those apps, it's possible that information like your name, username, email, and gender, was shared in places you may not have intended. Both of the developers whose SDKs were implicated, oneAudience and MobiBurn, have said that they have shut down their SDKs while they "investigate."
Both Twitter and Facebook say they have taken steps to prevent future use of either SDK to gain access to your information. In addition, iOS users appear to be unaffected by this particular issue.
It's not uncommon for apps to ask you to connect your social media account, especially games, or other apps that have leaderboard features. However, in apps that included this SDK, third-party developers were able to access users' personal information.
Twitter went so far as to say that while it doesn't have any evidence that this flaw was actually used to take over any accounts, it could have been used that way.
The report from CNBC specifically mentioned that the flaw was found in photo editing apps Giant Square and Photofy, but that other apps that encourage users to connect their Twitter and Facebook accounts could be affected. In reality, there's very little functionality added to most apps by connecting your social media accounts, meaning it's probably best to avoid it unless you have a really good reason to do so.
In fact, there's really never a good reason to use your social media accounts to log in to apps on your mobile device. Sure, it seems like it saves you some time creating an account, but it's simply not worth it.
This latest revelation comes as both companies have faced increased scrutiny over the way they handle users' personal information. Facebook, for example, has come under fire on several occasions for lax policies regarding how developers and advertisers are able to access and use information about users of both its namesake Facebook and Instagram apps.
The fact that apps were able to access this information isn't exactly either company's fault, but rather the result of developers who are able to exploit software that acts as more of a middleman. Still, it doesn't help instill any sense of trust, especially when companies like Facebook already have a reputation for harvesting our personal information for its own monetization.
A Facebook representative told The Verge that the company encourages people "to be cautious when choosing which third-party apps are granted access to their social media accounts." Which, again, is absolutely true, but not exactly helpful in hindsight.
Maybe instead, it's time to start asking whether the bargain we make for "free" access to social media networks like Facebook is actually worth the cost. Because every time another breach like this occurs, it's clear that math just doesn't add up.