Aug 03, 2022 19:00:00

It turns out that Twitter's API key is leaked in more than 3200 applications, account hijacking is also possible

CloudSEK, a security company that monitors cybercrime, reported on August 1, 2022 that many apps were leaking Twitter's

API keys . CloudSEK has warned that leaking API keys that allow apps to access Twitter on behalf of users has enabled unauthorized access and hijacking of accounts.

How Leaked Twitter API Keys Can be Used to Build a Bot Army - CloudSEK
https://cloudsek.com/whitepapers_reports/how-leaked-twitter-api-keys-can-be-used-to-build-a-bot-army/

Over 3,200 apps leak Twitter API keys, some allowing account hijacks
https://www.bleepingcomputer.com/news/security/over-3-200-apps-leak-twitter-api-keys-some-allowing-account-hijacks/

Twitter account hijacks made possible by error in 3,200 mobile apps
https://9to5mac.com/2022/08/02/twitter-account-hijacks/

When an app developer implements Twitter functionality in their mobile app, the developer obtains a special authorization key that allows the mobile app to exchange data with Twitter's API. And when the user associates the app with their Twitter account, this key allows the app to post tweets and send direct messages on behalf of the user. For example, a function such as a game application posting a high score to Twitter corresponds to this.

According to CloudSEK, the API key that is the key to this linkage function has leaked from 3207 mobile apps, of which 230 apps have leaked all four authentication credentials. In addition, CloudSEK reports that all four keys were valid for 39 apps.

A malicious third party who has obtained Twitter's API key can completely control the Twitter account, 'view direct messages', 'retweet and like', 'create or delete tweets', 'add or delete followers'. You will be able to access your account settings, change your account picture, etc.

The apps in question ranged in number from 50,000 to 5 million downloads, and ranged from transportation apps, radio, reading apps, news, internet banking apps, and cycling GPS apps. CloudSEK has reported this issue to app developers, but the specific app list is private due to the delay in fixing it.

According to the IT news site 9to5Mac, fortunately it is the app developer's account, not the app user, that can be hijacked. It has been pointed out that such API key leaks often occur when app developers embed authentication keys in Twitter's API and then forget to delete them when releasing.

Just because an app developer's account is hijacked doesn't mean that ordinary users won't be directly harmed. Many of the app developer accounts that are potential targets for hijacking are high-profile, authenticated Twitter accounts that can be used as bot networks to spread disinformation and malware. There are also concerns about spam campaigns such as investment scams targeting followers and phishing attacks.

In order to prevent such a situation, CloudSEK called on app developers to change the API key every six months instead of embedding the API key directly in the code.