Researchers Discover Nearly 3,200 Mobile Apps Leaking Twitter API Keys


Researchers have uncovered a list of 3,207 apps, some of which can be used to gain unauthorized access to Twitter accounts.

The acquisition was made possible thanks to a leak of legitimate Consumer Key and Consumer Secret information, respectively, the Singapore-based cybersecurity firm CloudSEK said in a report shared exclusively with The Hacker News.

“Of the 3,207, 230 apps, all four leak authentication credentials and can be used to completely take over their Twitter accounts and perform critical/sensitive actions,” the researchers said.

This can range from reading direct messages to performing arbitrary actions such as retweeting, liking and deleting tweets, following an account, deleting followers, accessing account settings and even changing the account profile picture.

Access to the Twitter API requires generating the keys and access tokens, which act as the usernames and passwords for the apps, as well as the users on whose behalf the API requests are made.

A malicious actor in possession of this information can therefore create a Twitter bot army that can potentially be used to spread misinformation/disinformation on the social media platform.

“When multiple account takeovers can be used to sing the same tune in succession, it only repeats the message that needs to be paid out,” the researchers noted.

What’s more, in a hypothetical scenario explained by CloudSEK, the API keys and tokens harvested from the mobile apps could be embedded in a program to run large-scale malware campaigns through verified accounts to target their followers.

Adding to the concern, it should be noted that the key leak is not limited to just Twitter APIs. In the past, CloudSEK researchers have discovered the secret keys for GitHub, AWS, HubSpot, and Razorpay accounts of unprotected mobile apps.

To mitigate such attacks, it is recommended to check the code for directly hard-coded API keys, while also periodically rotating the keys to reduce the likely risks of a leak.

“Variables in an environment are alternative ways to reference and hide keys, other than not including them in the source file,” the researchers said.

“Variables save time and increase security. Sufficient care must be taken to ensure that files containing environment variables are not included in the source code.”