Researchers have discovered more than 3,000 mobile apps exposing Twitter API that can be used to gain access to or take over Twitter accounts.
Approximately 3,207 apps were found to be leaking valid Consumer Key and Consumer Secret keys. Some of which are belonging to unicorn start-ups were found to leak all four Twitter authentication credentials that could be used to take over Twitter accounts fully.
With complete access, an attacker would gain the ability to perform actions such as reading direct messages, retweeting, liking, deleting, and removing and adding followers, along with the ability to change account settings and the display picture on the account.
The exposure of the API keys is typically the result of mistakes in which developers embed their authentication keys in the Twitter API but then forget to remove them when the mobile application is released later this could be used to spread false information or used in a phishing scam via Twitter bot army.
It is vital to check that the API keys are not directly embedded in code and that developers should follow secure coding and deployment processes. Processes include implementing a standardized review procedure to ensure accurate versioning, hiding keys to increase security, and rotating API keys to reduce the threat of leaked keys.
This research was conducted and documented by the CloudSEK firm.