Twitter API keys are leaked by over 3,200 apps, some of which enable account takeover
Experts in cybersecurity have discovered a group of 3,207 mobile apps that expose Twitter API keys to the general populace, potentially allowing a threat actor to take control of users’ Twitter accounts linked to the app.
The finding was made by cybersecurity company CloudSEK, which examined extensive app sets for potential data leaks and discovered 3,207 apps that were leaking a working Consumer Key and Consumer Secret for the Twitter API.
Developers who integrate mobile apps with Twitter will receive unique authentication keys, or tokens, that enable those apps to communicate with the Twitter API. When a user links their Twitter account to this mobile app, the keys also give the app the ability to act on their behalf. For example, the app can log them into Twitter, create tweets, send direct messages, and more.
It is never advised to put keys directly in a mobile app where threat actors might locate them because having access to these authentication credentials could allow anyone to undertake actions as related Twitter users.
Assembling a Twitter army
According to CloudSEK, app developers frequently make blunders by forgetting to delete their authentication keys once the mobile app is deployed after embedding them in the Twitter API.
The following areas in mobile applications are where the credentials are kept in these circumstances:
- View a person’s direct messages.
- Retweet and like tweets.
- Publish or remove tweets.
- Removing or including new followers.
- Log in to your account settings.
- Change display picture.
According to CloudSEK, one of the most obvious uses for this access would be for a threat actor to build a Twitter army of verified (authentic) accounts with a lot of followers to spread false information, malware campaigns, cryptocurrency frauds, etc.
According to CloudSEK, app developers frequently make blunders by failing to delete their authentication keys once the mobile app is deployed after embedding them in the Twitter API.
To protect authentication keys, CloudSEK advises developers to use API key rotation, which would render the disclosed keys useless after a few months.
In addition to public transportation companions, book readers, event trackers, newspapers, e-banking apps, cycling GPS apps, and much more, CloudSEK published a list of afflicted applications with BleepingComputer, with apps between 50,000 and 5,000,000 downloads.
After a month since CloudSEK warned them, the majority of applications that make their API keys publicly available haven’t even acknowledged seeing the alerts, let alone remedied the problems.
Due to the fact that these apps are still susceptible to exploitation and Twitter account takeover, BleepingComputer will not release the list of apps.
Ford Motors stands out as an exceptional case because it responded and fixed the “Ford Events” app, which was also leaking Twitter API keys.