CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
  • Home
  • News
  • Insights
  • Resources
Twitter logo on mobile phone screen showing Twitter API keys used for account hijacking
Cyber SecurityNews
·3 min read

Thousands of Mobile Apps Are Leaking Twitter API Keys, Could Be Used for Account Hijacking

Scott Ikeda·August 12, 2022

Over 3,000 mobile apps that Twitter users trust with their login information are fundamentally vulnerable and could be used for account hijacking, according to a new report from cybersecurity firm CloudSEK. These apps are leaking Twitter API keys used to interface with the social media platform, which are in turn tied to the Twitter login information that app users provide.

The problem stems from developers failing to remove the Twitter API keys they use for authentication from the app before they release it to the public. Attackers can then comb through the code to locate the keys. The study finds that it is possible for app updates to fix this issue, but that the vast majority of impacted apps have not addressed it.

Twitter API keys found in thousands of mobile apps

CloudSEK researchers discovered 3207 apps leaking Twitter API keys via the firm’s own BeVigil mobile search engine. A search of companies making use of these apps found that over 15,000 were leaking some form of Twitter API keys or security tokens in this way.

The company warns that the threat is not limited to isolated account hijacking and mischief. An organized attacker could exploit this common vulnerability to form a “bot army” of Twitter accounts for purposes ranging from large-scale credential phishing to misinformation campaigns.

The flaw abuses the Open Authorization (“OAuth”) tokens used by the Twitter API. These tokens leverage the Twitter API keys to allow users to share functionality with other apps; probably the most common example would be apps that allow users to automatically tweet out accomplishments or status updates via their Twitter account without having to actually switch over to the Twitter app and set everything up manually. These tokens are also used by apps that schedule tweets in advance and coordinate simultaneous posts and tweets across multiple social media platforms from a central interface for things like ad campaigns and notices to the public.

The study finds that there are four particular locations that developers frequently forget to scrub their Twitter API keys from, making it easy for attackers who decompile an app and probe around for them. Of the 3,207 apps that were identified, the researchers say that 230 are “unicorns” that are leaking all of the associated Twitter API keys and tokens that enable full account takeover (others might limit the account functions an attacker could have access to). Particular apps were not named for obvious security reasons, but the researchers said that they spanned a very broad and varied set of industries (from e-banking to book readers) and could make for some very destructive account hijacking possibilities.

Only one specific app was named: the “Ford Events” app from Ford Motors, and that only because it was the lone company that responded when contacted about the leaking Twitter API keys and issued an update fixing the problem. Other impacted companies either do not appear to be aware of the account hijacking threat or are thus far opting not to do anything about it.

Twitter account hijacking a more valuable crime than ever

While Twitter account hijacking might not seem like a priority item for criminal hackers, these accounts have value in a variety of different ways and attempts on similar social media credentials are becoming increasingly common. The Twitter breach of 2020 illustrated some of these possibilities, namely an underground market for account names with short and simple words as the username (long since claimed by someone) and the takeover of high-profile celebrity accounts for running cryptocurrency scams.

An ongoing scheme on Facebook also demonstrates that attackers are willing to use breached accounts to direct traffic to legitimate ad revenue. And a sophisticated nation-state attacker might sit on a collection of compromised accounts until an opportune moment, using them to spread misinformation during a crisis. Trusted accounts could also be used to pass malware in a coordinated effort, something that would likely be detected quickly but could nevertheless infect millions if the right accounts were used in the right way.

The Twitter API keys are generally left in these apps due to use in testing, with developers simply failing to remove them before shipping the product. CloudSEK recommends heading off this potential avenue of account hijacking by using an API key rotation to protect all authentication keys; with this solution in place, the keys automatically become invalidated after a certain period (generally a few months).

In these situations, security experts also tend to advise that developers ensure that they have tested the back-end server and network layer for security gaps (as well as performing security tests on actual devices). David Stewart, CEO of Approov, adds some more specific suggestions that developers may find useful: “There are only two ways to solve this problem. Either adopt a mobile security solution that enables you to store your API keys off device and deliver them only when needed or require a second independent factor to be present alongside the API key to access backend data and resources – effectively ensuring that API keys can’t be abused even if they leak out.”

 

Tags
Account HijackingMobile AppsTwitterTwitter API Keys
Scott Ikeda
Senior Correspondent at CPO Magazine
Scott Ikeda is a technology futurist and writer for more than 15 years. He travels extensively throughout Asia and writes about the impact of technology on the communities he visits. Over the last 5 years, Scott has grown increasingly focused on the future landscape of big data, surveillance, cybersecurity and the right to privacy.
Related
Hammer on table showing FTC order and privacy and security review
Data PrivacyNews

Investigation Finds Elon Musk May Have Violated FTC Order With Failure to Conduct Required Privacy and Security Review for “Twitter Blue”

September 20, 2023
Man holding smart mobile phone with AI technology showing X privacy policy and AI models
Data PrivacyNews

New X Privacy Policy Promises No Non-Public Personal Data Use in AI Models, Requires Consent for Biometric Info

September 11, 2023
Hand using tablet with Twitter app showing FTC privacy settlement
Data PrivacyNews

Musk Asks District Court to Invalidate FTC Privacy Settlement, Claims Unethical Misconduct

July 25, 2023
Twitter logo on smartphone screen showing exposed private tweets from Twitter Circle
Data PrivacyNews

Twitter Circle Exposed Private Tweets to Non-Followers in April

May 17, 2023
Twitter logo on smartphone screen showing Twitter data subject to government surveillance
Data PrivacyNews

Elon Musk: Government Surveillance of Twitter Data Was Routine, Both Foreign and Domestic Intelligence Agencies Had Access to Private DMs

April 24, 2023
Smartphone with Twitter logo and Elon Musk on background showing source code leak
Cyber SecurityNews

Partial Twitter Source Code Leak on GitHub Uploaded Shortly After First Round of Layoffs

March 30, 2023
Twitter mobile app on smartphone showing FTC investigation into privacy practices
Data ProtectionNews

FTC Investigation Into Twitter Privacy Practices Ramps up With Request to Interview Elon Musk

March 15, 2023
Twitter logo on smartphone screen showing 2FA account security
Cyber SecurityNews

Twitter to Make SMS-Based 2FA Account Security a Paid Premium Feature in March

February 24, 2023

Latest

Keyboard with dollar bill showing ransom payment and cyber extortion

PowerSchool Confirms Ongoing Cyber Extortion of Individual Schools Despite Ransom Payment

Keyboard with red backlight showing LockBit ransomware data breach

LockBit Ransomware Suffers Its Own Data Breach, Internal Conversations With Victims Leaked

Mobile phone and lock icons showing messaging app security breach

High Security Messaging App Tool Used by US Government Suspends Service After Security Breach

TikTok logo on smartphone showing data transfers of EU data

TikTok to Receive €530 Million Fine Over EU Data Storage, Data Transfers to China

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

CPO Magazine

News, insights and resources for data protection, privacy and cyber security professionals.

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

Categories

Data Privacy
Data Protection
Cyber Security
Tech
Insights
News
Resources
Press Releases

© 2024 Rezonen Pte. Ltd.
CPO Magazine - News, Insights and Resources for Data Privacy, Protection and Cybersecurity Leaders
  • Home
  • News
  • Insights
  • Resources
    Start typing to see results or hit ESC to close
    Data Breach U.S. Regulations Cyber Attack EU GDPR
    See all results