"Nearly 3,200 Apps Discovered Leaking Twitter API Keys, Some Even Allow Account Hijacks"
Researchers discovered 3,207 mobile apps that expose Twitter API keys to the public, potentially allowing a threat actor to hijack users' connected Twitter accounts. The discovery was made by CloudSEK, a cybersecurity firm that examined various apps for potential data breaches and discovered 3,207 exposing a legitimate Consumer Key and Consumer Secret for the Twitter API. Developers who integrate Twitter into their mobile apps will be given unique authentication keys, or tokens, allowing their apps to communicate with the Twitter API. When a user connects their Twitter account to this mobile app, the keys enable the app to act on their behalf. The app, for example, can log them into Twitter, create tweets, send direct messages, and do other things. Therefore, it is never advised to store keys directly in a mobile app where threat actors can find them, because having access to these authentication credentials allows anyone to perform actions as related Twitter users. According to CloudSEK, app developers who include their authentication credentials in the Twitter API but fail to remove them after the smartphone is deployed frequently cause API key leaks. One example of abusing this access would be a threat actor assembling a Twitter army of verified (trustworthy) accounts with a sizable following to spread false information, malware campaigns, cryptocurrency scams, and more. App developers often make mistakes by failing to delete their authentication credentials after embedding them in the Twitter API once the mobile app is deployed. CloudSEK recommends that developers use API key rotation to secure authentication keys, which will render the disclosed keys ineffective after a few months. CloudSEK also released a list of impacted apps, which included radio tuners, book readers, event logs, newspapers, e-banking apps, bicycle GPS apps, and other programs with between 50,000 and 5,000,000 downloads. This article continues to discuss the discovery of 3,207 apps leaking Twitter API keys.