Security researchers have discovered a list of 3,207 mobile apps that are exposing Twitter API keys to the public, potentially allowing a threat actor to take over users’ Twitter accounts that are associated with the app.
The researchers from cybersecurity firm CloudSEK scrutinized large app sets for potential data leaks and found 3,207 leaking a valid Consumer Key and Consumer Secret for the Twitter API.
While integrating mobile apps with Twitter, developers are provided special authentication keys, or tokens, that allow their mobile apps to interact with the Twitter API. When a user associates their Twitter account with this mobile app, the keys also will enable the app to act on behalf of the user, such as logging them in via Twitter, creating tweets, sending DMs, etc.
Getting access to these authentication keys could let anyone to perform actions as associated Twitter users, but it is not recommended to store keys directly in a mobile app where threat actors can find them.
CloudSEK states that the leak of API keys is due to the mistakes by app developers who embed their authentication keys in the Twitter API but forget to remove them when the mobile is released.
In such cases, the credentials are stored within mobile applications at locations such as Read someone’s direct messages, perform retweets and likes, Create or delete tweets, Remove or add new followers, Access account settings and Change display picture.
A threat actor could use these exposed tokens to create a Twitter army of verified accounts with large numbers of followers to promote fake news, malware campaigns, cryptocurrency scams, etc.
The researchers recommend developers to use API key rotation to protect authentication keys, which would invalidate the exposed keys after a few months.
CloudSEK shared a list of impacted applications with apps between 50,000 and 5,000,000 downloads, including city transportation companions, book readers, event loggers, newspapers, e-banking apps, cycling GPS apps etc.
Most applications publicly exposing their API keys haven’t even acknowledged receiving CloudSEK’s notices after a month since the cybersecurity firm alerted them, and most haven’t addressed the issues.
The list of apps is not disclosed as they are still vulnerable to exploitation and Twitter account takeover.