3,200 Mobile Apps Discovered To Be Leaking Twitter API Keys

3,200 Mobile Apps Discovered To Be Leaking Twitter API Keys

Consumer Key and Consumer Secret, both legitimate sources of information, report that according to CloudSEK, a Singapore-based cybersecurity firm, 3,207 apps are leaking Twitter API keys. Furthermore, 230 out of them are leaking all four credentials. 

These credentials are usually kept private as they can be used to fully take over one’s Twitter account. They also enable one to perform critical and sensitive actions. These actions include standard Twitter actions such as retweeting, deleting tweets, following accounts, liking, and removing followers. 

However, malicious actors can also do more nefarious acts, such as accessing account settings to change or delete one’s account and changing profile pictures. 

To access the Twitter API, you have to generate secret keys and access tokens. These act as usernames and passwords for apps and the users who will be making the API request. 

Therefore, anyone with malicious intent and possession of this knowledge can create a Twitter bot army. This army can be used for any purpose, such as spreading misinformation and disinformation on this highly reputable social media platform. 

Researchers note that if one actor takes over multiple accounts and spreads the same misinformation through them, it reiterates the message that needs to be disbursed. 

In a hypothetical scenario shared by CloudSEK, the API keys and tokens stolen from these 3207 mobile apps can be embedded into a program. This program can further be used to operate large-scale malware campaigns. Through verified accounts, these apps will be able to target their followers. 

To add to everyone’s concern, this key leak is not just of Twitter APIs. CloudSEK researchers have also found secret keys for HubSpot, AWS, Razorpay, and GitHub accounts. 

Therefore, to mitigate such attacks, the code for directly hard-coded API keys must be reviewed, and periodically rotating keys should also be used to reduce the risk of a leak.

Read also:

Abdul Wahab is a Software Engineer by profession and a Tech geek by nature. Having been associated with the tech industry for the last five years, he has covered a wide range of Tech topics and produced well-researched and engaging content. You will mostly find him reviewing tech products and writing blog posts. Binge-watching tech reviews and endlessly reading tech blogs are his favorite hobbies.