Thousands of apps are leaking Twitter API keys, giving attackers the chance to completely take over those accounts, and use them for identity theft (opens in new tab) or other types of cyber-fraud.
The findings come courtesy of cybersecurity experts CloudSEK, which found a total of 3,207 mobile apps leaking valid Consumer Keys, as well as Consumer Secrets, for the Twitter API.
Various mobile apps offer integration with Twitter, allowing those apps to perform certain actions in the users’ stead. The integration is done through the Twitter API and with the help of Consumer Keys and Secrets. By leaking this type of data, the apps potentially allow threat actors to tweet things, send and read direct messages, or similar. In theory, CloudSEK explains, a threat actor could amass an “army” of Twitter endpoints (opens in new tab) that would promote a scam or a malware campaign by tweeting, retweeting, reaching out via DMs, etc.
Millions of downloads
The researchers said the apps in question include e-banking apps, city transportation apps, radio tuners, and similar, and have between 50,000 and five million downloads, each.
In other words, millions of Twitter accounts are most likely at risk.
All of the app owners have been notified, but most of them failed to even acknowledge being notified, let alone address the issue. Ford Motors is one of the companies that fixed the problem fast, on its Ford Events app, it was said.
Until other apps fix the issue, the list of the apps will not be made public.
API leaks, the researchers added, are usually the result of errors in app development. Sometimes, developers will embed authentication keys in the Twitter API and later forget to remove them.
To prevent such leaks, CloudSEK recommends devs use API key rotation, which would render exposed keys invalid after some time.
Via: BleepingComputer (opens in new tab)