Researchers on Monday uncovered 3,207 apps leaking Twitter API keys that attackers can use to gain access to or take over Twitter accounts.
In a report, CloudSEK disclosed that its BeVigil search engine for mobile apps found that 230 of the apps were leaking all four Auth Creds and attackers can use them to fully takeover Twitter accounts to do the following: read direct messages, retweet, like, delete, remove followers, follow any account, get account settings and change a display picture.
The CloudSEK researchers pointed out that because Twitter has become such a prominent social media platform, attackers can leverage Twitter handles to disseminate misinformation in a way that’s not possible on most other sites. The researchers were also concerned that attackers can weave scams and threats into these activities, appearing legitimate to unsuspecting users.
Poorly protected APIs are a key security concern for mobile apps, web platforms and cloud surfaces, said Chris Olson, CEO at The Media Trust. Olson said today, the average mobile app contains more than 30 third-party APIs that hackers can exploit to steal data, track users, spread malware, and launch targeted attacks.
“Meanwhile, cloud security incidents are overwhelmingly attributable to misconfiguration of APIs by cloud customers, or overreliance on vulnerable third-party vendors — not security flaws on the CSP side,” Olson said. “Today's developers need to be more vigilant about protecting the digital safety and trust of their users, and organizations need to demand greater visibility into app components that expose their employees to cyber risk.”
The exposed Twitter API key issue adds up to many similar reported issues in the past in which secret API keys are mistakenly leaked, either in an open source version of the software, in a publicly exposed resource, or within mobile application such as in this case, said Yaniv Balmas, vice president of research at Salt Security.
“The main difference between this case and most of the previous ones is that usually when developers leave an API key exposed the major risk is to the application/vendor — a good example of that are AWS S3 API keys exposed on GitHub,” Balmas said. “In this case, since users permit the mobile application to use their own Twitter accounts, the issue actually puts them at the same risk level as the application itself. This adds up to a long list of possible abuses and attack scenarios that are exposed due to the extensive growth of the API and SaaS domains.”
Ray Kelly, a fellow at the Synopsys Software Integrity Group, said while the potential impact of this incident could significantly impact Twitter’s end-users, this type of vulnerability is one of the easiest to prevent. Kelly said when assessing a mobile app for security gaps, it’s important to test the back-end server, the network layer, and in this case, the device itself.
“Failure to encrypt API secrets on the device is akin to wrapping your ATM card in a Post-It note with your PIN written on it,” Kelly said. “However, in this case, the consequences are much more severe and could lead to attackers executing misinformation campaigns or impersonation attacks that they can target to specific Twitter users.”