Security researchers have discovered over 3200 mobile apps which are leaking Twitter API keys, potentially enabling threat actors to perform account takeovers.
Twitter APIs enable developers to access the social media app in order to embed various bits of its functionality into their own software – for example, enabling gaming apps to post users’ top scores direct to their Twitter account.
Authentication is done via keys or tokens. However, CloudSEK found that on many occasions, developers with limited security know-how accidentally left those keys embedded in the Twitter API.
According to the research, they could be abused to perform a range of sensitive actions including: reading direct messages; retweeting; liking; deleting; removing followers; following accounts; and changing display pictures.
CloudSEK said it found 3207 apps which leaked a valid Consumer Key and Consumer Secret, potentially allowing malicious actors to build a large army of bot accounts.
“Sometimes, these credentials are not removed before deploying it in the production environment. Once the app gets uploaded to the play store, the API secrets are there for anyone to access,” it explained.
“A hacker can simply download the app and decompile it to get the API credentials. Thus, from here bulk API keys and tokens can be harvested to prepare the Twitter bot army.”
According to the report, this kind of Twitter bot could be used to:
- Spread misinformation globally
- Run large-scale malware campaigns designed to infect compromised account followers
- Launch spamming campaigns designed to facilitate investment fraud
- Automate phishing designed to enable follow-on social engineering campaigns
CloudSEK urged developers to conduct standardized code reviews, ensure files containing “environment variables” in the source code are not included, and rotate API keys.