Home>Blog>The Hacker News Headlines>Researchers Discover Nearly 3,200 Mobile Apps Leaking Twitter API Keys
The Hacker News Headlines

Researchers Discover Nearly 3,200 Mobile Apps Leaking Twitter API Keys

Twitter API Keys

Researchers have uncovered a list of 3,207 apps, some of which
can be utilized to gain unauthorized access to Twitter
accounts.

The takeover is made possible, thanks to a leak of legitimate
Consumer Key and Consumer Secret information, respectively,
Singapore-based cybersecurity firm CloudSEK said in a report[1] exclusively shared with
The Hacker News.

“Out of 3,207, 230 apps are leaking all four authentication
credentials and can be used to fully take over their Twitter
Accounts and can perform any critical/sensitive actions,” the
researchers said.

CyberSecurity

This can range from reading direct messages to carrying out
arbitrary actions such as retweeting, liking and deleting tweets,
following any account, removing followers, accessing account
settings, and even changing the account profile picture.

Access to the Twitter API requires[2]
generating the Keys and Access Tokens, which act as the usernames
and passwords for the apps as well as the users on whose behalf the
API requests will be made.

A malicious actor in possession of this information can,
therefore, create a Twitter bot army that could be potentially
leveraged to spread mis/disinformation on the social media
platform.

“When multiple account takeovers can be utilized to sing the
same tune in tandem, it only reiterates the message that needs to
get disbursed,” the researchers noted.

CyberSecurity

What’s more, in a hypothetical scenario explained by CloudSEK,
the API keys and tokens harvested from the mobile apps can be
embedded in a program to run large-scale malware campaigns through
verified accounts to target their followers.

Added to the concern, it should be noted that the key leak is
not limited to Twitter APIs alone. In the past, CloudSEK
researchers have uncovered the secret keys for GitHub, AWS[3], HubSpot, and Razorpay
accounts from unprotected mobile apps.

To mitigate such attacks, it’s recommended to review code for
directly hard-coded API keys, while also periodically rotating keys
to help reduce probable risks incurred from a leak.

“Variables in an environment are alternate means to refer to
keys and disguise them apart from not embedding them in the source
file,” the researchers said.

“Variables save time and increase security. Adequate care should
be taken to ensure that files containing environment variables in
the source code are not included.”

References

  1. ^
    CloudSEK
    said in a report     (cloudsek.com)
  2. ^
    requires
    (developer.twitter.com)
  3. ^
    AWS
    (thehackernews.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.