Thousands of apps are leaking Twitter API keys, giving attackers full control of those accounts, and use them for identity theft (Opens in a new tab) or other types of electronic fraud.
The findings come with permission from cybersecurity experts CloudSEK, who found a total of 3,207 mobile apps leak valid consumer keys, as well as consumer secrets, for the Twitter API.
Many mobile apps offer integration with Twitter, allowing those apps to perform certain actions instead of users. The integration is done through the Twitter API and with the help of consumer keys and secrets. By leaking this kind of data, the apps could potentially allow threat actors to tweet things, send and read direct messages or the like. In theory, CloudSEK demonstrates that a threat actor can amass an “army” of Twitter endpoints (Opens in a new tab) That would promote a scam or malware campaign by tweeting, retweeting, communicating via direct messages, etc.
Millions of downloads
The apps in question include electronic banking apps, city transit apps, radio tuners, and the like, and have between 50,000 and five million downloads each, the researchers said.
In other words, millions of Twitter accounts are likely at risk.
All app owners were notified, but most failed to acknowledge that they had been notified, let alone address the issue. Ford Motors is one of the companies that quickly fixed the problem, on the Ford Events app, it was said.
Until other apps fix the problem, the list of apps will not be public.
The researchers added that API leaks are usually the result of errors in app development. Sometimes developers include authentication keys in the Twitter API and then forget to remove them later.
To prevent such leaks, CloudSEK recommends developers use API key rotation, which may render exposed keys invalid after some time.
Via: BleepingComputer (Opens in a new tab)