Cybersecurity researchers at CloudSEK have uncovered a set of 3,207 mobile apps exposing Twitter API keys to the public, potentially enabling a threat actor to take over users’ Twitter accounts.
CloudSEK analyzed large app sets for potential data leaks and found the apps leaking a valid Consumer Key and Consumer Secret for the Twitter API. CloudSEK found that 230 apps were leaking all 4 Auth Creds and can be used to fully take over Twitter accounts to perform critical/sensitive actions such as read direct messages, retweet, like, delete, remove followers, follow any account, get account settings and change display pictures.
Scott Gerlach, Co-Founder and CSO at StackHawk, says, “Exposing an ‘all access’ API key is essentially giving away the keys to the front door as a single key controls all of the data in the API. You have to understand how to manage user access to an API and how to securely provision access to the API. If you don’t understand that, you have put yourself way behind the eight ball.”
This type of vulnerability is one of the easiest to prevent, says Ray Kelly, Fellow at Synopsys Software Integrity Group. “When assessing a mobile app for security gaps, it is important to test the backend server, the network layer and in this case, the device itself. Failure to encrypt API secrets on the device is akin to wrapping your ATM card in a Post-It note with your PIN written on it,” Kelly explains. “However, in this case, the consequences are much more severe and could lead to attackers executing misinformation campaigns or impersonation attacks that can be targeted to specific Twitter users.”
CloudSEK urged developers to conduct standardized code reviews, ensure files containing “environment variables” in the source code are not included, and rotate API keys.
For more information, visit cloudsek.com.
