Researchers at CloudSEK have uncovered 3,207 apps, leaking Twitter API keys, that can be utilized to gain access to or to take over Twitter accounts. These apps were leaking legitimate Consumer Key and Consumer Secret information, Singapore-based cybersecurity firm CloudSEK said in a report.
Researchers inspecting the mobile apps observed that:
- 5,603 companies were leaking Twitter API Keys/Tokens
- 5,033 companies were leaking the Twitter Secrets/Token Secret only
- 4,810 companies were leaking both the Twitter API Keys/Tokens and the Twitter Secrets/Token Secrets
Out of 3,207 apps, 230 were leaking all 4 Auth Creds. 39 of the apps had all 4 keys as valid. The Twitter accounts of these apps could be taken over to perform any critical/sensitive actions such as read DMs, Retweet, Like, Delete, remove followers, follow any account, get account settings, change DP, etc.
There are only two ways to solve this problem. Either adopt a mobile security solution that enables you to store your API keys off device and deliver them only when needed or require a second independent factor to be present alongside the API key to access backend data and resources – effectively ensuring that API keys can’t be abused even if they leak out.