Over 3,000 mobile apps that Twitter users trust with their login information are fundamentally vulnerable and could be used for account hijacking, according to a new report from cybersecurity firm CloudSEK. These apps are leaking Twitter API keys used to interface with the social media platform, which are in turn tied to the Twitter login information that app users provide.
The problem stems from developers failing to remove the Twitter API keys they use for authentication from the app before they release it to the public. Attackers can then comb through the code to locate the keys. The study finds that it is possible for app updates to fix this issue, but that the vast majority of impacted apps have not addressed it.
Twitter API keys found in thousands of mobile apps
CloudSEK researchers discovered 3207 apps leaking Twitter API keys via the firm’s own BeVigil mobile search engine. A search of companies making use of these apps found that over 15,000 were leaking some form of Twitter API keys or security tokens in this way.
The company warns that the threat is not limited to isolated account hijacking and mischief. An organized attacker could exploit this common vulnerability to form a “bot army” of Twitter accounts for purposes ranging from large-scale credential phishing to misinformation campaigns.
The flaw abuses the Open Authorization (“OAuth”) tokens used by the Twitter API. These tokens leverage the Twitter API keys to allow users to share functionality with other apps; probably the most common example would be apps that allow users to automatically tweet out accomplishments or status updates via their Twitter account without having to actually switch over to the Twitter app and set everything up manually. These tokens are also used by apps that schedule tweets in advance and coordinate simultaneous posts and tweets across multiple social media platforms from a central interface for things like ad campaigns and notices to the public.
The study finds that there are four particular locations that developers frequently forget to scrub their Twitter API keys from, making it easy for attackers who decompile an app and probe around for them. Of the 3,207 apps that were identified, the researchers say that 230 are “unicorns” that are leaking all of the associated Twitter API keys and tokens that enable full account takeover (others might limit the account functions an attacker could have access to). Particular apps were not named for obvious security reasons, but the researchers said that they spanned a very broad and varied set of industries (from e-banking to book readers) and could make for some very destructive account hijacking possibilities.
Only one specific app was named: the “Ford Events” app from Ford Motors, and that only because it was the lone company that responded when contacted about the leaking Twitter API keys and issued an update fixing the problem. Other impacted companies either do not appear to be aware of the account hijacking threat or are thus far opting not to do anything about it.
Twitter account hijacking a more valuable crime than ever
While Twitter account hijacking might not seem like a priority item for criminal hackers, these accounts have value in a variety of different ways and attempts on similar social media credentials are becoming increasingly common. The Twitter breach of 2020 illustrated some of these possibilities, namely an underground market for account names with short and simple words as the username (long since claimed by someone) and the takeover of high-profile celebrity accounts for running cryptocurrency scams.
An ongoing scheme on Facebook also demonstrates that attackers are willing to use breached accounts to direct traffic to legitimate ad revenue. And a sophisticated nation-state attacker might sit on a collection of compromised accounts until an opportune moment, using them to spread misinformation during a crisis. Trusted accounts could also be used to pass malware in a coordinated effort, something that would likely be detected quickly but could nevertheless infect millions if the right accounts were used in the right way.
The Twitter API keys are generally left in these apps due to use in testing, with developers simply failing to remove them before shipping the product. CloudSEK recommends heading off this potential avenue of account hijacking by using an API key rotation to protect all authentication keys; with this solution in place, the keys automatically become invalidated after a certain period (generally a few months).
In these situations, security experts also tend to advise that developers ensure that they have tested the back-end server and network layer for security gaps (as well as performing security tests on actual devices). David Stewart, CEO of Approov, adds some more specific suggestions that developers may find useful: “There are only two ways to solve this problem. Either adopt a mobile security solution that enables you to store your API keys off device and deliver them only when needed or require a second independent factor to be present alongside the API key to access backend data and resources – effectively ensuring that API keys can’t be abused even if they leak out.”