3,200 Mobile Apps Leaking Twitter API Keys – Expert Comments

By   ISBuzz Team
Writer , Information Security Buzz | Aug 02, 2022 12:35 am PST

Researchers at CloudSEK have uncovered 3,207 apps, leaking Twitter API keys, that can be utilized to gain access to or to take over Twitter accounts. These apps were leaking legitimate Consumer Key and Consumer Secret information, Singapore-based cybersecurity firm CloudSEK said in a report.

Researchers inspecting the mobile apps observed that:

  • 5,603 companies were leaking Twitter API Keys/Tokens
  • 5,033 companies were leaking the Twitter Secrets/Token Secret only
  • 4,810 companies were leaking both the Twitter API Keys/Tokens and the Twitter Secrets/Token Secrets

Out of 3,207 apps, 230 were leaking all 4 Auth Creds. 39 of the apps had all 4 keys as valid. The Twitter accounts of these apps could be taken over to perform any critical/sensitive actions such as read DMs, Retweet, Like, Delete, remove followers, follow any account, get account settings, change DP, etc.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
David Stewart
August 2, 2022 8:35 am

There are only two ways to solve this problem. Either adopt a mobile security solution that enables you to store your API keys off device and deliver them only when needed or require a second independent factor to be present alongside the API key to access backend data and resources – effectively ensuring that API keys can’t be abused even if they leak out.

Last edited 1 year ago by David Stewart

Recent Posts

Would love your thoughts, please comment.x