IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Twitter API keys found leaked in over 3,200 apps, raising concerns for linked accounts

Business and verified Twitter accounts linked to affected apps are at risk of takeover, use in malicious campaigns

3,207 apps have been identified as exposing the application program interface (API) keys of linked Twitter accounts, which can be used by threat actors to take control of accounts and use them for malicious purposes.

Digital risk monitoring platform CloudSEK identified the threat using BeVirgil, their security search engine for mobile apps, and set out the details in a report. Of the 3,207 apps, 230 apps were leaking all four authentication credentials necessary to fully take over accounts, which can be accessed simply by downloading and decompiling each app.

Researchers stated that with the leaked keys, threat actors could access Twitter accounts and perform a range of actions such as read direct messages, retweet and like other tweets, delete tweets, remove or add followers and access account settings.

CloudSEK also outlined a scenario in which threat actors could use a ‘bot army’ of seized accounts to perform attacks such as widespread disinformation campaigns, having verified accounts post malware or phishing links, inflate or deflate stock with spam posts, or promote cryptocurrency.

Aside from the immediate cost to companies of recovering accounts, the potential for reputational damage as a result of the vulnerability is sizeable. 

Verified accounts in particular are prized by threat actors for their perceived trustworthiness, but after widespread tweets containing malware or phishing links, customers might struggle to trust a company’s Twitter again.

57 of the apps had premium or enterprise subscriptions for Twitter API, which cost between $149 and $,2499 per month. Researchers indicated that the apps affected ranged in size from small to very large 'unicorns'. 

APIs are used to extend the functionality of an app to other developers, allowing them to embed the app in novel ways within their own program through the use of an interface.

Twitter uses OAuth tokens to link user accounts through the API without the need for the user’s password each time, and the standard is similarly used by Google, Facebook and Microsoft.

Researchers advised app developers to avoid directly embedding API keys in the code, and to observe several practices such as standardised review procedures, hiding keys in variables, and rotating keys regularly.

Advisories have been sent to the respective developers. However, Bleeping Computer reports that CloudSEK has not received acknowledgement from many of the apps exposing keys that changes have been implemented to fix the vulnerabilities. As a result, researchers have held off from publishing app names, to prevent spreading live vulnerability information.

"Whilst the "hack" itself is enabled by sloppy coding practices it highlights a very important point," commented Michael Tanaka, chief commercial officer at security firm MIRACL.

"The attacker can only abuse the privileges that the user has given to the app. Users should always review and question the purpose of any requested privileges, and if there is any doubt, deny them."

IT Pro has approached CloudSEK for comment.

This article has been updated to include comment from Michael Tanaka.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Twitter reports largest ever period for data requests in new transparency report
social media

Twitter reports largest ever period for data requests in new transparency report

1 Aug 2022
Elon Musk offers to buy Twitter for $41.39 billion, claiming only he can 'unlock its true potential'
social media

Elon Musk offers to buy Twitter for $41.39 billion, claiming only he can 'unlock its true potential'

14 Apr 2022
Jack Dorsey admits regret for helping to centralise the internet
Network & Internet

Jack Dorsey admits regret for helping to centralise the internet

4 Apr 2022
IT Pro News In Review: Cyber attack at Ikea, Meta ordered to sell Giphy, new Twitter CEO
cyber security

IT Pro News In Review: Cyber attack at Ikea, Meta ordered to sell Giphy, new Twitter CEO

3 Dec 2021

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
The benefits of a hardware update for SMBs
Sponsored

The benefits of a hardware update for SMBs

2 Aug 2022