External Account Information Collection Not Disclosed in Privacy Policy

External Account Information Collection Not Disclosed in Privacy Policy

Risk: medium

Description

The application accesses or collects information from users' external accounts (such as social media profiles or other third-party services), but the privacy policy does not clearly disclose this. This can include profile information, contact lists, or other data from linked accounts. Failure to inform users about this data access can be misleading and may violate privacy regulations.

Recommendation

Update your application's privacy policy to explicitly state if and how information from external accounts is accessed or collected. Clearly describe the types of information obtained, the specific purposes for this access, how the data is used, stored, its retention period, and any sharing with the primary application. Ensure users provide clear consent before linking external accounts and understand what data will be accessed.

Links

• GDPR - Personal Data Definition
• OAuth 2.0 Standard
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_12
  • ART_13
  • ART_25
  • ART_32
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_110
  • CCPA_1798_150
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3
  • CC_6_1
• CNIL_FOR_EDITORS:
  • EDITORS_3_1_1
  • EDITORS_3_1_2