Cybersecurity researchers have found 3,207 mobile applications that expose Twitter API keys to the public, possibly allowing a threat actor to hijack users’ connected Twitter accounts. The finding was made by cybersecurity company CloudSEK, which examined a broad range of apps for possible data breaches and discovered 3,207 exposing a legitimate Consumer Key and Consumer Secret for the Twitter API.
Developers integrating mobile apps with Twitter will receive unique authentication keys, or tokens, that enable such apps to communicate with the Twitter API. When a user links their Twitter account to this mobile app, the keys also give the app the ability to act on their behalf. For example, the app can log them into Twitter, create tweets, send direct messages, and more. It is never advised to put keys directly in a mobile app where threat actors might locate them since having access to these authentication credentials could allow anyone to undertake actions as related Twitter users.
CloudSEK reveals that errors made by app developers that include their authentication credentials in the Twitter API but neglect to remove them after the smartphone is deployed frequently lead to API key leaks. In these circumstances, the following places in mobile applications house the credentials:
- Read someone’s direct messages
- Access account settings
- Perform retweets and likes
- Change display picture
- Create or delete tweets
- Remove or add new followers
According to CloudSEK, one of the most prominent examples of abusing this access would be for a threat actor to use these exposed tokens to assemble a Twitter army of verified (trustworthy) accounts with a sizable following to spread false information, malware campaigns, cryptocurrency scams, etc. App developers frequently make blunders by forgetting to delete their authentication credentials once the mobile app is deployed after embedding them in the Twitter API. In these scenarios, the following spots in mobile apps contain the credentials:
- resources/res/values/strings.xml
- source/resources/res/values-es-rCO/strings.xml
- source/resources/res/values-es-rAR/strings.xml
- source/sources/com/app-name/BuildConfig.java
CloudSEK advises developers to employ API key rotation to secure authentication keys, which would render the disclosed keys useless after a few months. A list of impacted apps was also released by CloudSEK, and it included radio tuners, book readers, event logs, newspapers, e-banking apps, bicycle GPS apps, and other programs with between 50,000 and 5,000,000 downloads.
After a month since CloudSEK warned them, the majority of applications that make their API keys publicly available haven’t even acknowledged seeing the alerts, let alone remedied the problems. Ford Motors stands out as an exceptional case since it responded and fixed the “Ford Events” app, which was also revealing Twitter API keys.
