October 3, 2023

Researchers have discovered more than 3,000 mobile apps exposing Twitter API  that can be used to gain access to or take over Twitter accounts.

Approximately 3,207 apps were found to be leaking valid Consumer Key and Consumer Secret keys. Some of which are belonging to unicorn start-ups were found to leak all four Twitter authentication credentials that could be used to take over Twitter accounts fully.

With complete access, an attacker would gain the ability to perform actions such as reading direct messages, retweeting, liking, deleting, and removing and adding followers, along with the ability to change account settings and the display picture on the account.

Advertisements

The exposure of the API keys is typically the result of mistakes in which developers embed their authentication keys in the Twitter API but then forget to remove them when the mobile application is released later this could be used to spread false information or used in a phishing scam via Twitter bot army.

It is vital to check that the API keys are not directly embedded in code and that developers should follow secure coding and deployment processes. Processes include implementing a standardized review procedure to ensure accurate versioning, hiding keys to increase security, and rotating API keys to reduce the threat of leaked keys.

This research was conducted and documented by the CloudSEK firm.

Tags:

Leave a Reply

You may have missed

Industrial Control Systems and Vulnerability Management Process

October 2, 2023

McLaren Healthcare suffers a Ransomware Incident

October 2, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – September, 2023

October 2, 2023

TheCyberThrone Security Week In Review – September 30, 2023

October 1, 2023

Mozilla fixes CVE-2023-5217 Vulnerability in its Products

September 30, 2023

CISA KEV Update Part III – September 2023

September 30, 2023
%d bloggers like this: