Consumer Key and Consumer Secret, both legitimate sources of information, report that according to CloudSEK, a Singapore-based cybersecurity firm, 3,207 apps are leaking Twitter API keys. Furthermore, 230 out of them are leaking all four credentials.
These credentials are usually kept private as they can be used to fully take over one’s Twitter account. They also enable one to perform critical and sensitive actions. These actions include standard Twitter actions such as retweeting, deleting tweets, following accounts, liking, and removing followers.
However, malicious actors can also do more nefarious acts, such as accessing account settings to change or delete one’s account and changing profile pictures.
To access the Twitter API, you have to generate secret keys and access tokens. These act as usernames and passwords for apps and the users who will be making the API request.
Therefore, anyone with malicious intent and possession of this knowledge can create a Twitter bot army. This army can be used for any purpose, such as spreading misinformation and disinformation on this highly reputable social media platform.
Researchers note that if one actor takes over multiple accounts and spreads the same misinformation through them, it reiterates the message that needs to be disbursed.
In a hypothetical scenario shared by CloudSEK, the API keys and tokens stolen from these 3207 mobile apps can be embedded into a program. This program can further be used to operate large-scale malware campaigns. Through verified accounts, these apps will be able to target their followers.
To add to everyone’s concern, this key leak is not just of Twitter APIs. CloudSEK researchers have also found secret keys for HubSpot, AWS, Razorpay, and GitHub accounts.
Therefore, to mitigate such attacks, the code for directly hard-coded API keys must be reviewed, and periodically rotating keys should also be used to reduce the risk of a leak.