Twitter API keys are leaked by thousands of apps, giving attackers the ability to take full control of these accounts and use them for identity theft (opens in a new tab) or other types of cyber fraud.
The findings come courtesy of cybersecurity experts CloudSEK, who found a total of 3207 mobile apps leaking valid consumer keys, as well as consumer secrets, for the Twitter API.
Several mobile apps offer integration with Twitter, allowing them to perform certain actions on behalf of users. The integration is done through the Twitter API and with the help of Consumer Keys and Secrets. By revealing this type of data, apps potentially allow threat actors to tweet things, send and read direct messages, or the like. In theory, CloudSEK explains, a threat actor could create an "army" of Twitter endpoints (opens in a new tab) promoting a scam or malware campaign by tweeting, retweeting, direct messaging, etc.
million downloads
The researchers said the apps in question include online banking apps, urban transportation apps, radio tuners, etc., with each having between 50.000 and five million downloads.
In other words, millions of Twitter accounts are most likely at risk.
All app owners have been notified, but most haven't even acknowledged being notified, let alone fixed the issue. Ford Motors is one of the companies that quickly fixed the problem, on its Ford Events app, it was said.
Until other apps resolve the issue, the list of apps will not be made public.
API leaks, the researchers added, are usually the result of mistakes in application development. Sometimes developers embed authentication keys in the Twitter API and then forget to remove them.
To prevent such leaks, CloudSEK recommends developers to use API key rotation, which would invalidate exposed keys after a period of time.
Via: BleepingComputer (Opens in a new tab)