Researchers at CloudSEK have uncovered 3,207 apps, leaking Twitter API keys, that can be utilized to gain access to or to take over Twitter accounts. These apps were leaking legitimate Consumer Key and Consumer Secret information, Singapore-based cybersecurity firm CloudSEK said in a report.
Researchers inspecting the mobile apps observed that:
- 5,603 companies were leaking Twitter API Keys/Tokens
- 5,033 companies were leaking the Twitter Secrets/Token Secret only
- 4,810 companies were leaking both the Twitter API Keys/Tokens and the Twitter Secrets/Token Secrets
Out of 3,207 apps, 230 were leaking all 4 Auth Creds. 39 of the apps had all 4 keys as valid. The Twitter accounts of these apps could be taken over to perform any critical/sensitive actions such as read DMs, Retweet, Like, Delete, remove followers, follow any account, get account settings, change DP, etc.