Researchers Discover Nearly 3,200 Mobile Apps Leaking Twitter API Keys


Researchers have uncovered a list of 3,207 mobile apps that are exposing Twitter API keys in the clear, some of which can be utilized to gain unauthorized access to Twitter accounts associated with them.

The takeover is made possible, thanks to a leak of legitimate Consumer Key and Consumer Secret information, respectively, Singapore-based cybersecurity firm CloudSEK said in a report exclusively shared with The Hacker News.

“Out of 3,207, 230 apps are leaking all four authentication credentials and can be used to fully take over their Twitter Accounts and can perform any critical/sensitive actions,” the researchers said.


This can range from reading direct messages to carrying out arbitrary actions such as retweeting, liking and deleting tweets, following any account, removing followers, accessing account settings, and even changing the account profile picture.

Access to the Twitter API requires generating secret keys and access tokens, which act as the usernames and passwords for the apps as well as the users on whose behalf the API requests will be made.

A malicious actor in possession of this information can, therefore, create a Twitter bot army that could be potentially leveraged to spread mis/disinformation on the social media platform.

“When multiple account takeovers can be utilized to sing the same tune in tandem, it only reiterates the message that needs to get disbursed,” the researchers noted.


What’s more, in a hypothetical scenario explained by CloudSEK, the API keys and tokens harvested from the mobile apps can be embedded in a program to run large-scale malware campaigns through verified accounts to target their followers.

Added to the concern, it should be noted that the key leak is not limited to Twitter APIs alone. In the past, CloudSEK researchers have uncovered the secret keys for GitHub, AWS, HubSpot, and Razorpay accounts from unprotected mobile apps.

To mitigate such attacks, it’s recommended to review code for directly hard-coded API keys, while also periodically rotating keys to help reduce probable risks incurred from a leak.

“Variables in an environment are alternate means to refer to keys and disguise them apart from not embedding them in the source file,” the researchers said.

“Variables save time and increase security. Adequate care should be taken to ensure that files containing environment variables in the source code are not included.”

Products You May Like

Articles You May Like

Kraken Crypto Exchange Hit by $3 Million Theft Exploiting Zero-Day Flaw
Signal Foundation Warns Against EU’s Plan to Scan Private Messages for CSAM
Warning: New Adware Campaign Targets Meta Quest App Seekers
Hacktivism is evolving – and that could be bad news for organizations everywhere
The long-tail costs of a data breach – Week in security with Tony Anscombe

Leave a Reply

Your email address will not be published. Required fields are marked *