Over 3,200 Apps Leak Twitter API Keys, Some Allowing Account Hijacks (bleepingcomputer.com) 6
An anonymous reader quotes a report from BleepingComputer: Cybersecurity researchers have uncovered a set of 3,207 mobile apps that are exposing Twitter API keys to the public, potentially enabling a threat actor to take over users' Twitter accounts that are associated with the app. The discovery belongs to cybersecurity firm CloudSEKE, which scrutinized large app sets for potential data leaks and found 3,207 leaking a valid Consumer Key and Consumer Secret for the Twitter API. When integrating mobile apps with Twitter, developers will be given special authentication keys, or tokens, that allow their mobile apps to interact with the Twitter API. When a user associates their Twitter account with this mobile app, the keys also will enable the app to act on behalf of the user, such as logging them in via Twitter, creating tweets, sending DMs, etc.
As having access to these authentication keys could allow anyone to perform actions as associated Twitter users, it is never recommended to store keys directly in a mobile app where threat actors can find them. CloudSEK explains that the leak of API keys is commonly the result of mistakes by app developers who embed their authentication keys in the Twitter API but forget to remove them when the mobile is released. [...] One of the most prominent scenarios of abuse of this access, according to CloudSEK, would be for a threat actor to use these exposed tokens to create a Twitter army of verified (trustworthy) accounts with large numbers of followers to promote fake news, malware campaigns, cryptocurrency scams, etc. "CloudSEK shared a list of impacted applications [...] with apps between 50,000 and 5,000,000 downloads," reports BleepingComputer. They are not disclosing the list because they are still vulnerable to exploitation and Twitter account takeover.
As having access to these authentication keys could allow anyone to perform actions as associated Twitter users, it is never recommended to store keys directly in a mobile app where threat actors can find them. CloudSEK explains that the leak of API keys is commonly the result of mistakes by app developers who embed their authentication keys in the Twitter API but forget to remove them when the mobile is released. [...] One of the most prominent scenarios of abuse of this access, according to CloudSEK, would be for a threat actor to use these exposed tokens to create a Twitter army of verified (trustworthy) accounts with large numbers of followers to promote fake news, malware campaigns, cryptocurrency scams, etc. "CloudSEK shared a list of impacted applications [...] with apps between 50,000 and 5,000,000 downloads," reports BleepingComputer. They are not disclosing the list because they are still vulnerable to exploitation and Twitter account takeover.
Fake Accounts (Score:1)
Re: (Score:1)
Well, TFA is about an exploit that could be used to compromise accounts which belong to real people. Musk's excuse* for backing out was that Twitter is full of bots, not that their security kind of sucks.
* We all know that real reason is that the stock took a dump after he made the offer, and now he's a sad panda.
Up next, Airtable keys (Score:2)
There's a treasure trove of network requests fetching from Airtable using a simple symmetric key.
Also, there should be a clearinghouse for submitting found keys so the distributor can immediately invalidate. If that messes up your site, too bad. Do it right next time. Watch a two hours of how to stand up a site (or mobile site) securely on the provider - AWS, GC, Azure, etc.
Why? (Score:2)
Why are there 3200+ apps that do twitter stuff?