Twitter warned developers that a bug could have exposed their API keys and access tokens in their browser’s cache.
The social media platform told developers it doesn’t believe the apps and tokens have been compromised and that the problem had been fixed. “Prior to the fix, if you used a public or shared computer to view your developer app keys and tokens on developer.twitter[.]com, they may have been temporarily stored in the browser’s cache on that computer,” Twitter wrote. Someone using the same computer right after the developer who “knew how to access a browser’s cache” and “what to look for,” conceivably “could have accessed the keys and tokens” the developer viewed.
“As hundreds of billions of dollars in online business rely on APIs to smoothly function, this growing ubiquity makes APIs a juicy target for malicious hackers trying to exploit weaknesses in these connection points,” said Ameet Naik, security evangelist at PerimeterX. “Leaked keys and security tokens make their way to the dark web and are used in automated attacks against API endpoints.”
PerimeterX’s research shows that on many websites and apps, “more than 75 percent of login request from API endpoints are malicious.” API attacks are not only easier and more economical to execute, they are “harder to detect than legacy browser-based botnet attacks,” Naik said, urging developers to “take steps to ensure that API keys and security tokens are properly protected using key vaults.”
Twitter said it changed the caching instructions that the site sends developers’ browsers “to stop it from storing information about your apps or account so this won’t happen any longer.”