More than 3200 Apps Found Exposing Twitter API Keys

Researchers discovered a list of 3,207 mobile apps that are publicly exposing Twitter API keys, which can be used to gain access to or take over accounts. These apps were found to be leaking valid consumer keys and consumer secret API keys.

Of these apps, 230 were leaking all four authentication credentials that can be used to fully take over a user’s Twitter account.

 

The keys allow the app to act on the users' behalf, such as logging in via Twitter, creating tweets, and sending direct messages.

Researchers explain that the API keys are commonly leaked by app developers who embed their authentication keys in the Twitter API but forget to remove them when the app is released.

 

A threat actor with access to a Twitter account could perform actions such as reading direct messages, deleting tweets, accessing account settings, following other accounts, removing followers, and changing the account profile picture.

 

Taking over Twitter accounts via stolen API keys and abusing them for misinformation or scam is nothing new. Developers are recommended to use API key rotation to help reduce probable risks incurred from a leak. They can also review code for directly hard-coded API keys. In order to avoid any leaks, the developers are suggested to never store keys directly in a mobile app where threat actors can find them.