Over 3,200 Apps Leak Twitter API Keys, Some Allowing Account Hijacks

It has been reported that cybersecurity researchers have uncovered a set of 3,207 mobile apps that are exposing Twitter API keys to the public, potentially enabling a threat actor to take over users’ Twitter accounts that are associated with the app. The discovery belongs to CloudSEK, which scrutinized large app sets for potential data leaks and found 3,207 leaking a valid Consumer Key and Consumer Secret for the Twitter API. CloudSEK explains that the leak of API keys is commonly the result of mistakes by app developers who embed their authentication keys in the Twitter API but forget to remove them when the mobile is released. According to the research, they could be abused to perform a range of sensitive actions including: reading direct messages; retweeting; liking; deleting; removing followers; following accounts; and changing display pictures.

Subscribe
Notify of
guest

3 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Yaniv Balmas
Yaniv Balmas , VP of Research
InfoSec Expert
August 3, 2022 10:42 am

The exposed Twitter API key issue adds up to many similar reported issues in the past in which secret API keys are mistakenly leaked, either in an open-source version of the software, in a publicly exposed resource, or within mobile application – such as in this case. The main difference between this case and most of the previous ones, is that usually when an API key is left exposed, the major risk is to the application/vendor – a good example for that will be AWS S3 API keys exposed on Github. In this case, however, since users permit the mobile application to use their own Twitter accounts, the issue actually puts them at the same risk level as the application itself. This adds up to a long list of possible abuses and attack scenarios that are exposed, due to the extensive growth of the API and SaaS domains. With such a huge growth rate, it is hard for security practitioners to keep up to speed – and I wouldn’t be surprised if we see more of these, and other types of vulnerabilities emerge in the near future.

Last edited 3 months ago by Yaniv Balmas
nick.rago
nick.rago
August 3, 2022 10:41 am

A common practice for attacking API’s is for attackers to first look for mobile applications that utilize the API and reverse engineer the mobile app binary to see if the developer has left behind any “goodies” to help gain access to the API. The Twitter API key issue is just another example of such. Investing in developer security education is key to help address long term, but adequate run-time protection and behavioural monitoring of the API’s is imperative to detect these types of breaches immediately. The important point here is that this is just another example of a breach or vulnerability that would evade the traditional signature-based security defences that most organizations have in front of their API’s today.

Last edited 3 months ago by nick.rago
Ray.kelly
Ray.kelly , Fellow
InfoSec Expert
August 3, 2022 10:33 am

While the potential impact of this incident could significantly impact Twitter’s end-users, this type of vulnerability is one of the easiest to prevent. When assessing a mobile app for security gaps, it is important to test the backend server, the network layer and in this case, the device itself. Failure to encrypt API secrets on the device is akin to wrapping your ATM card in a Post-It note with your PIN written on it. But in this case, the consequences are much more severe and could lead to attackers executing misinformation campaigns or impersonation attacks that can be targeted to specific Twitter users.

Last edited 3 months ago by ray.kelly
Information Security Buzz
3
0
Would love your thoughts, please comment.x
()
x