IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Twitter API keys found leaked in over 3,200 apps, raising concerns for linked accounts

Business and verified Twitter accounts linked to affected apps are at risk of takeover, use in malicious campaigns

3,207 apps have been identified as exposing the application program interface (API) keys of linked Twitter accounts, which can be used by threat actors to take control of accounts and use them for malicious purposes.

Digital risk monitoring platform CloudSEK identified the threat using BeVirgil, their security search engine for mobile apps, and set out the details in a report. Of the 3,207 apps, 230 apps were leaking all four authentication credentials necessary to fully take over accounts, which can be accessed simply by downloading and decompiling each app.

Researchers stated that with the leaked keys, threat actors could access Twitter accounts and perform a range of actions such as read direct messages, retweet and like other tweets, delete tweets, remove or add followers and access account settings.

CloudSEK also outlined a scenario in which threat actors could use a ‘bot army’ of seized accounts to perform attacks such as widespread disinformation campaigns, having verified accounts post malware or phishing links, inflate or deflate stock with spam posts, or promote cryptocurrency.

Aside from the immediate cost to companies of recovering accounts, the potential for reputational damage as a result of the vulnerability is sizeable. 

Verified accounts in particular are prized by threat actors for their perceived trustworthiness, but after widespread tweets containing malware or phishing links, customers might struggle to trust a company’s Twitter again.

57 of the apps had premium or enterprise subscriptions for Twitter API, which cost between $149 and $,2499 per month. Researchers indicated that the apps affected ranged in size from small to very large 'unicorns'. 

APIs are used to extend the functionality of an app to other developers, allowing them to embed the app in novel ways within their own program through the use of an interface.

Twitter uses OAuth tokens to link user accounts through the API without the need for the user’s password each time, and the standard is similarly used by Google, Facebook and Microsoft.

Researchers advised app developers to avoid directly embedding API keys in the code, and to observe several practices such as standardised review procedures, hiding keys in variables, and rotating keys regularly.

Advisories have been sent to the respective developers. However, Bleeping Computer reports that CloudSEK has not received acknowledgement from many of the apps exposing keys that changes have been implemented to fix the vulnerabilities. As a result, researchers have held off from publishing app names, to prevent spreading live vulnerability information.

"Whilst the "hack" itself is enabled by sloppy coding practices it highlights a very important point," commented Michael Tanaka, chief commercial officer at security firm MIRACL.

"The attacker can only abuse the privileges that the user has given to the app. Users should always review and question the purpose of any requested privileges, and if there is any doubt, deny them."

IT Pro has approached CloudSEK for comment.

This article has been updated to include comment from Michael Tanaka.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Twitter reports largest ever period for data requests in new transparency report
social media

Twitter reports largest ever period for data requests in new transparency report

1 Aug 2022
Elon Musk offers to buy Twitter for $41.39 billion, claiming only he can 'unlock its true potential'
social media

Elon Musk offers to buy Twitter for $41.39 billion, claiming only he can 'unlock its true potential'

14 Apr 2022
Jack Dorsey admits regret for helping to centralise the internet
Network & Internet

Jack Dorsey admits regret for helping to centralise the internet

4 Apr 2022
IT Pro News In Review: Cyber attack at Ikea, Meta ordered to sell Giphy, new Twitter CEO
cyber security

IT Pro News In Review: Cyber attack at Ikea, Meta ordered to sell Giphy, new Twitter CEO

3 Dec 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022