Researchers have discovered that around 3,207 mobile apps were leaking Twitter API keys, potentially enabling threat actors to hijack the Twitter accounts. The Twitter API keys enable developers to access the social media app to embed certain parts to its functions to their software.
Leaked Twitter API Keys can Completely Take Over Twitter Accounts
According to research by Singapore-based cybersecurity firm CloudSEK; “Out of 3,207, 230 apps are leaking all four authentication credentials and can be used to fully take over their Twitter Accounts and can perform any critical/sensitive actions,” the researchers further added that with leaked Twitter API keys hackers can perform certain functions ranging from reading direct messages to carrying out arbitrary actions such as retweeting, liking and deleting tweets, following any account, removing followers, accessing account settings, and even changing the account profile picture.
The research company noted that the API keys and tokens harvested from the mobile apps can be embedded in a program to run large-scale malware campaigns through verified accounts to target their followers. The research said that the apps in question include transportation app, e-banking app, radio tuners, and many more that have between 50,000 and five million downloads, each.
How to defend the attacks?
The research firm has detailed the procedure regarding the measures that can be taken by the developers to follow secure coding and deployment processes:
• Standardizing Review Procedures: Publication requires the code base to be examined, reviewed, and approved prior to versioning.
• Hiding Keys: Variables in an environment are alternate means to refer to keys and disguise them. Variables save time and increase security. Adequate care should be taken to ensure that files containing environment variables in the source code are not included.
• Rotate API keys: Rotating keys can help reduce the threat posed by leaked keys.