Over 3200 mobile apps have been found by security experts to be leaking Twitter API keys, potentially allowing threat actors to take over user accounts.
Through Twitter API keys, developers may connect to the social media platform and include different features into their own applications. For instance, gaming apps can post users’ highest scores directly to their Twitter accounts. Authentication is carried out using tokens or Twitter API keys.
However, CloudSEK discovered that those keys were frequently unintentionally left in the Twitter APIs by developers with little security expertise. The study found that they might be misused to carry out a variety of delicate tasks, such as reading direct messages, retweeting, liking, deleting, removing followers, following accounts, and altering display photos.
According to CloudSEK, 3207 apps exposed a legitimate Consumer Key and Consumer Secret, possibly enabling malicious actors to create a sizable army of bot accounts. Before explaining the risks, we recommend you to check out our guide explaining how to fix Twitter login error 7.
More than 3200 apps leak Twitter API keys
CloudSEK attempts to build a Twitter bot army that can defend users in any conflict. However, the bot-driven misinformation war on the internet may be the most hazardous. The inventor of the internet, Tim Berners-Lee, claimed that it is too simple for false information to spread because most people obtain their news from a select group of social media platforms and search engines that profit from users clicking on links. False news can “spread like wildfire” on these websites because their algorithms frequently favor information based on what users are most likely to engage with.
Though, Twitter’s handles may be readily used to spread false information, expanding its reach. On the other hand, scams and threats can be deftly woven into this communication strategy and made to seem real. Recently, the “fake suspension notices” phishing fraud was spread through Twitter.
Verified handles were employed to support the fraud. Additionally, it actively participated in the 2016 US presidential elections. Twitter generated even more controversy when it was used to disseminate rumors about the COVID 19 epidemic. The problem goes beyond simple networking, as with any social networking website.
Twitter goes a step further since for many of its users, it serves as their only source of news and information. Since the message needs to be repeated, numerous account takeovers can be utilized to sing the same song in unison.
“Sometimes, these credentials are not removed before deploying it in the production environment. Once the app gets uploaded to the play store, the API secrets are there for anyone to access,” CloudSek stated.
“A hacker can simply download the app and decompile it to get the API credentials. Thus, from here bulk API keys and tokens can be harvested to prepare the Twitter bot army.”
This type of Twitter bot, according to the research, might be used to:
- Spread false information worldwide
- Run extensive malware campaigns to infect followers of compromised accounts
- Start spam operations intended to encourage investment fraud
- Automate phishing to facilitate additional social engineering efforts
Developers were cautioned by CloudSEK to perform regular code reviews, make sure no source code files include “environment variables,” and rotate Twitter API keys.
Since social networking sites like Twitter pride themselves on providing real-time information, it can be challenging to distinguish between deliberate and unintentional lies. Therefore, it is crucial for social media platforms to prevent their usage in the propagation of false information.
Security of social media data and preventing the spread of false information via verified handles are equally important for businesses. And to achieve this, secure code and deployment practices must be followed. Tools like BeVigil can also be used to check for exposed keys and credentials.
You can also learn how to turn off Twitter refresh sound by visiting our guide.