Threat Advisory

Twitter API Keys Exposed in Public

August 9, 2022 | By Accorian


Recently some researchers discovered that over 3000 mobile applications are leaking Twitter API keys to the public which can be used to gain unauthorized access to Twitter accounts and carry out actions such as retweeting, liking, and deleting tweets, following any account, removing followers, accessing account settings, and even changing the account profile picture. Even worse, an attacker with the hold of such data can create a botnet and leverage this to spread misinformation on the social media platform. 

During the integration of a mobile app with Twitter, a special authentication key or token is generated which allows the application to interact with the Twitter API. The token or keys can also enable the app to act on behalf of the user such as logging them in via Twitter, creating tweets, sending DMs, etc. Therefore, it is not secure at all to store keys directly in a mobile application where threat actors can find them.

According to researchers, the leak is usually due to common mistakes by the app developers who integrate their authentication keys in the Twitter API but forget to omit them when the application is released. Out of the applications which are leaking Twitter API keys, some of which are unicorns, are leaking all four authentication credentials and can be used to fully take over their Twitter Accounts and can perform any critical malicious actions. 

Accorian recommends the developers implement rotation of API Keys at fixed interval of time. Accorian assures to assist and set up a strategic cybersecurity solution for all its clients which covers all bases thoroughly. Please feel free to reach out to us if you have any questions or want to get your mobile application tested for this vulnerability.


Threat Advisory Team 


Recent Post

Ready to Start?

Ready to Start?​

Drop your CVs to

Interested Position

Download Case study

Download SOC2 Guide