Thousands of apps are leaking Twitter API keys, giving attackers the chance to completely take over those accounts, and use them for identity theft (opens in new tab) or other types of cyber-fraud.
The findings come courtesy of cybersecurity experts CloudSEK, which found a total of 3,207 mobile apps leaking valid Consumer Keys, as well as Consumer Secrets, for the Twitter API.
Various mobile apps offer integration with Twitter, allowing those apps to perform certain actions in the users’ stead. The integration is done through the Twitter API and with the help of Consumer Keys and Secrets. By leaking this type of data, the apps potentially allow threat actors to tweet things, send and read direct messages, or similar. In theory, CloudSEK explains, a threat actor could amass an “army” of Twitter endpoints (opens in new tab) that would promote a scam or a malware campaign by tweeting, retweeting, reaching out via DMs, etc.
Millions of downloads
The researchers said the apps in question include e-banking apps, city transportation apps, radio tuners, and similar, and have between 50,000 and five million downloads, each.
In other words, millions of Twitter accounts are most likely at risk.
All of the app owners have been notified, but most of them failed to even acknowledge being notified, let alone address the issue. Ford Motors is one of the companies that fixed the problem fast, on its Ford Events app, it was said.
Until other apps fix the issue, the list of the apps will not be made public.
API leaks, the researchers added, are usually the result of errors in app development. Sometimes, developers will embed authentication keys in the Twitter API and later forget to remove them.
To prevent such leaks, CloudSEK recommends devs use API key rotation, which would render exposed keys invalid after some time.
Via: BleepingComputer (opens in new tab)
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba