Threat Advisory

Twitter API Keys Exposed in Public

August 9, 2022 | By Accorian

Hello,

Recently some researchers discovered that over 3000 mobile applications are leaking Twitter API keys to the public which can be used to gain unauthorized access to Twitter accounts and carry out actions such as retweeting, liking, and deleting tweets, following any account, removing followers, accessing account settings, and even changing the account profile picture. Even worse, an attacker with the hold of such data can create a botnet and leverage this to spread misinformation on the social media platform. 

During the integration of a mobile app with Twitter, a special authentication key or token is generated which allows the application to interact with the Twitter API. The token or keys can also enable the app to act on behalf of the user such as logging them in via Twitter, creating tweets, sending DMs, etc. Therefore, it is not secure at all to store keys directly in a mobile application where threat actors can find them.

According to researchers, the leak is usually due to common mistakes by the app developers who integrate their authentication keys in the Twitter API but forget to omit them when the application is released. Out of the applications which are leaking Twitter API keys, some of which are unicorns, are leaking all four authentication credentials and can be used to fully take over their Twitter Accounts and can perform any critical malicious actions. 

Accorian recommends the developers implement rotation of API Keys at fixed interval of time. Accorian assures to assist and set up a strategic cybersecurity solution for all its clients which covers all bases thoroughly. Please feel free to reach out to us if you have any questions or want to get your mobile application tested for this vulnerability.

Source: https://cloudsek.com/whitepapers_reports/how-leaked-twitter-api-keys-can-be-used-to-build-a-bot-army/ 

Threat Advisory Team 

Accorian

Recent Post

    Ready to Start?



      Ready to Start?



        Download Case study




          Download Guide




          Human Resources Director

          Posted On: 09 May, 2022

          Drop your CVs to joinourteam@accorian.com

            Interested Position

            First Name

            Last Name

            Email

            Total Experience

            Mobile Number

            Upload Resume