Twitter mobile

Twitter API keys found leaked in over 3,200 apps

Business and verified Twitter accounts linked to affected apps are at risk of takeover, use in malicious campaigns
Image: Shutterstock via Dennis

2 August 2022

Some 3,207 apps have been identified as exposing the application program interface (API) keys of linked Twitter accounts, which can be used by threat actors to take control of accounts and use them for malicious purposes.

Digital risk monitoring platform CloudSek identified the threat using BeVirgil, their security search engine for mobile apps, and set out the details in a report. Of the 3,207 apps, 230 apps were leaking all four authentication credentials necessary to fully take over accounts, which can be accessed simply by downloading and decompiling each app.

Researchers stated that with the leaked keys, threat actors could access Twitter accounts and perform a range of actions such as read direct messages, retweet and like other tweets, delete tweets, remove or add followers and access account settings.




CloudSek also outlined a scenario in which threat actors could use a ‘bot army’ of seized accounts to perform attacks such as widespread disinformation campaigns, having verified accounts post malware or phishing links, inflate or deflate stock with spam posts, or promote cryptocurrency.

Aside from the immediate cost to companies of recovering accounts, the potential for reputational damage as a result of the vulnerability is sizeable.

Verified accounts in particular are prized by threat actors for their perceived trustworthiness, but after widespread tweets containing malware or phishing links, customers might struggle to trust a company’s Twitter again.

Fifty-seven of the apps had premium or enterprise subscriptions for Twitter API, which cost between $149 and $,2499 per month. Researchers indicated that the apps affected ranged in size from small to very large ‘unicorns’.

APIs are used to extend the functionality of an app to other developers, allowing them to embed the app in novel ways within their own program through the use of an interface.

Twitter uses OAuth tokens to link user accounts through the API without the need for the user’s password each time, and the standard is similarly used by Google, Facebook and Microsoft.

Researchers advised app developers to avoid directly embedding API keys in the code, and to observe several practices such as standardised review procedures, hiding keys in variables, and rotating keys regularly.

Advisories have been sent to the respective developers. However, Bleeping Computer reports that CloudSek has not received acknowledgement from many of the apps exposing keys that changes have been implemented to fix the vulnerabilities. As a result, researchers have held off from publishing app names, to prevent spreading live vulnerability information.

© Dennis Publishing

Read More:

Comments are closed.

Back to Top ↑