Researchers Discover Nearly 3,200 Mobile Apps Leaking Twitter API Keys

Technology

Researchers have uncovered a list of 3,207 apps, some of which can be utilized to gain unauthorized access to Twitter accounts.

The takeover is made possible, thanks to a leak of legitimate Consumer Key and Consumer Secret information, respectively, Singapore-based cybersecurity firm CloudSEK said in a report exclusively shared with The Hacker News.

“Out of 3,207, 230 apps are leaking all four authentication credentials and can be used to fully take over their Twitter Accounts and can perform any critical/sensitive actions,” the researchers said.

CyberSecurity

This can range from reading direct messages to carrying out arbitrary actions such as retweeting, liking and deleting tweets, following any account, removing followers, accessing account settings, and even changing the account profile picture.

Access to the Twitter API requires generating the Keys and Access Tokens, which act as the usernames and passwords for the apps as well as the users on whose behalf the API requests will be made.

A malicious actor in possession of this information can, therefore, create a Twitter bot army that could be potentially leveraged to spread mis/disinformation on the social media platform.

“When multiple account takeovers can be utilized to sing the same tune in tandem, it only reiterates the message that needs to get disbursed,” the researchers noted.

CyberSecurity

What’s more, in a hypothetical scenario explained by CloudSEK, the API keys and tokens harvested from the mobile apps can be embedded in a program to run large-scale malware campaigns through verified accounts to target their followers.

Added to the concern, it should be noted that the key leak is not limited to Twitter APIs alone. In the past, CloudSEK researchers have uncovered the secret keys for GitHub, AWS, HubSpot, and Razorpay accounts from unprotected mobile apps.

To mitigate such attacks, it’s recommended to review code for directly hard-coded API keys, while also periodically rotating keys to help reduce probable risks incurred from a leak.

“Variables in an environment are alternate means to refer to keys and disguise them apart from not embedding them in the source file,” the researchers said.

“Variables save time and increase security. Adequate care should be taken to ensure that files containing environment variables in the source code are not included.”

Products You May Like

Articles You May Like

Peaky Blinders Outfits: How To Get The Shelby Look
Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware
Academy Award Nominee Eric Roberts Guests On “If These Walls Could Talk” With Hosts Wendy Stuart and Tym Moss Wednesday, November 13th, 2024
Black Friday 2024 Board Game Deals Drop On Amazon
Apple Gets EU Warning to Stop Geo-Blocking on App, ITunes Stores