Researchers have discovered a list of 3,207 mobile apps that are clearly exposing Twitter API keys, some of which could be used to gain unauthorized access to their associated Twitter accounts.
The takeover was made possible thanks to the leak of legitimate customer key and customer secret information, respectively, Singapore-based cybersecurity firm CloudSEK said in a report shared exclusively with The Hacker News.
“Out of 3,207, 230 apps are leaking all four authentication credentials and can be used to completely take over their Twitter accounts and perform any critical/sensitive actions,” the researchers said.
This can range from reading direct messages to performing arbitrary actions such as re-tweeting, liking and deleting tweets, following any account, unfollowing, accessing account settings and even changing the profile picture. account profile.
Access to the Twitter API It requires generating secret keys and access tokens, which act as usernames and passwords for applications, and the users on whose behalf API requests will be made.
Therefore, a malicious actor in possession of this information can create a bot army on Twitter that can be used to spread misinformation/misinformation on the social media platform.
“When multiple accounts can be used to sing the same tune at the same time, it only repeats the message that needs to be delivered,” the researchers noted.
Additionally, in a hypothetical scenario explained by CloudSEK, API keys and tokens collected from mobile apps could be fed into a program to run large-scale malware campaigns through verified accounts to target their followers.
Adding to the concern, it should be noted that the main leak is not limited to Twitter’s APIs. In the past, CloudSEK researchers have discovered secret keys for GitHub, AWS, HubSpot, and Razorpay accounts from vulnerable mobile apps.
To mitigate such attacks, it is recommended to review the code for live-encoded API keys, while also periodically rotating the keys to help reduce potential risks from a leak.
“Environment variables are alternative means of referencing and masking keys other than not inserting them into the source file,” the researchers said.
“Variables save time and increase security. Adequate care should be taken to ensure that files containing environment variables in the source code are not included.”
