Researchers in cybersecurity have found 3,207 mobile apps that expose Twitter API keys to the public, potentially allowing a threat actor to hijack users’ connected Twitter accounts.
The finding was made by cybersecurity company CloudSEK, which examined a broad range of apps for possible data leaks and discovered 3,207 exposing a legitimate Consumer Key and Consumer Secret for the Twitter API.
Developers who integrate mobile apps with Twitter will receive unique authentication keys, or tokens, that enable those apps to communicate with the Twitter API.
When a user links their Twitter account to this mobile app, the keys also give the app the ability to act on their behalf. For example, the app can log them into Twitter, create tweets, send direct messages, and more. It is never advised to put keys directly in a mobile app where threat actors might locate them because having access to these authentication credentials could allow anyone to undertake actions as related Twitter users.
Building a Twitter army
According to CloudSEK, mistakes made by app developers that include their authentication keys in the Twitter API but forget to remove them after the smartphone is deployed frequently lead to API key leaks.
In these circumstances, the following places in mobile applications house the credentials:
- Read someone’s direct messages
- Perform retweets and likes
- Create or delete tweets
- Remove or add new followers
- Access account settings
- Change display picture
According to CloudSEK, one of the most prominent examples of abusing this access would be for a threat actor to use these exposed tokens to assemble a Twitter army of verified (reliable) accounts with a sizable following in order to spread false information, malware campaigns, cryptocurrency scams, etc.
Bad practices
According to CloudSEK, app developers frequently make blunders by forgetting to delete their authentication keys once the mobile app is deployed after embedding them in the Twitter API.
In these circumstances, the following places in mobile applications house the credentials: resources/res/values/strings.xml
- source/resources/res/values-es-rAR/strings.xml
- source/resources/res/values-es-rCO/strings.xml
- source/sources/com/app-name/BuildConfig.java
To protect authentication keys, CloudSEK advises developers to use API key rotation, which would render the disclosed keys useless after a few months.
Who is impacted?
A list of impacted apps, provided by CloudSEK to BleepingComputer, including radio tuners, book readers, event trackers, newspapers, e-banking apps, cycling GPS apps, and others. These programmes had between 50,000 and 5,000,000 downloads.
After a month since CloudSEK warned them, the majority of applications that make their API keys publicly available had not even acknowledged seeing the alerts, let alone remedied the problems.
Due to the fact that these apps are still susceptible to exploitation and Twitter account takeover, BleepingComputer will not release the list of apps.
Ford Motors stands out as an exceptional case because it responded and fixed the “Ford Events” app, which was also leaking Twitter API keys.
