Researchers discovered a list of 3,207 mobile apps that are publicly exposing Twitter API keys, which can be used to gain access to or take over accounts. These apps were found to be leaking valid consumer keys and consumer secret API keys.
Of these apps, 230 were leaking all four authentication credentials that can be used to fully take over a user’s Twitter account.

How to access Twitter API?

Accessing Twitter API requires the creation of secret keys and access tokens.
The keys and tokens serve as usernames and passwords for both the apps and the users on whose behalf the API requests are made.
The keys allow the app to act on the users' behalf, such as logging in via Twitter, creating tweets, and sending direct messages.

Who leaked the API keys?

Researchers explain that the API keys are commonly leaked by app developers who embed their authentication keys in the Twitter API but forget to remove them when the app is released.

What’s at stake?

A threat actor with access to a Twitter account could perform actions such as reading direct messages, deleting tweets, accessing account settings, following other accounts, removing followers, and changing the account profile picture.
  • A malicious actor in possession of the exposed tokens can thus build a Twitter bot army that can be used to spread misinformation on the social media platform.
  • The API keys and tokens obtained from the mobile apps can be embedded in a program to run large-scale malware campaigns targeting verified accounts.

Mitigation and conclusion

Taking over Twitter accounts via stolen API keys and abusing them for misinformation or scam is nothing new. Developers are recommended to use API key rotation to help reduce probable risks incurred from a leak. They can also review code for directly hard-coded API keys. In order to avoid any leaks, the developers are suggested to never store keys directly in a mobile app where threat actors can find them.
Cyware Publisher