CloudSEK, a firm which offers AI technology for combatting digital threats, said it has uncovered 3,207 apps leaking Twitter API keys that can be used to take over Twitter accounts.
One of the biggest concerns is the potential to build a bot army for spreading misinformation, malware, and spam, CloudSEK said in a report.
CloudSEK* researchers said key findings include:
- Discovered 3,207 apps were leaking valid consumer key and consumer secret information
- 230 apps were leaking all four 0Auth authentication credentials and could be used to fully take over Twitter accounts to perform critical/sensitive actions.
Some of those sensitive actions include reading Direct Messages, retweeting, deleting messages, liking messages, and getting account settings.
The Twitter API provides direct access to a Twitter account and OAuth tokens are used by the Twitter API for authentication. OAuth ("Open Authorization") is an open standard for authorization and is commonly used to grant API access. It works over HTTPS and authorizes devices, APIs, servers, and applications.
This standard is also used by Amazon, Google, Facebook, and Microsoft.
“The Twitter API enables access to the Twitter application. This allows a developer to access the core functionalities of Twitter such as reading and sending Tweets, Direct Messages, Following and Unfollowing users, etc. By allowing access to their APIs, Twitter ensures that developers can come up with their own unique ways of embedding Twitter’s data and functionality in their applications.”
The vulnerability in mobile applications often is the result of an error on the part of the developer, the report said.
“While developing a mobile application, developers use the Twitter API for testing. While doing so, they save the credentials within the mobile application. Sometimes, these credentials are not removed before deploying it in the production environment. Once the app gets uploaded to the play store, the API secrets are there for anyone to access. A hacker can simply download the app and decompile it to get the API credentials. Thus, from here bulk API keys and tokens can be harvested to prepare the Twitter bot army.”
The valid API keys and tokens can be embedded in a script to perform a variety of attack scenarios, CloudSEK said.
- Spreading misinformation
- Spearheading malware attacks through verified accounts passed on among legitimate followers
- Spamming with the aim of, for example, disseminating information related to cryptocurrency or the stock market.
- Phishing to obtain sensitive user information, which is then used to launch other social engineering attacks or identity theft.
State of API security: malicious attack traffic grew 117%
Comparing July 2021 to July 2022, overall API traffic per customer grew 168%, indicating that API usage is also exploding, according to the Q3 2022 State of API Security report.
“Malicious API attack traffic surged 117% over the past year, from an average of 12.22M malicious calls per month to an average of 26.46M calls,” the report said.
Because of the growing importance of APIs to business, API security is a crucial element of an organization’s cybersecurity strategy. Despite that, organizations seem to lag in API security according to the latest API Security Report by Salt Security. Poor API authentication remains one of the top issues that facilitate attacks. API authentication and authorization rely on machine identities and API keys that can be vulnerable to theft and misuse.
Failure to encrypt API secrets like ‘a Post-It note with your PIN’
“While the potential impact of this incident could significantly impact Twitter’s end-users, this type of vulnerability is one of the easiest to prevent,” said Ray Kelly, Fellow at Synopsys Software Integrity Group, a Mountain View, Calif.-based provider of integrated software solutions in a statement.
“When assessing a mobile app for security gaps, it is important to test the backend server, the network layer and in this case, the device itself. Failure to encrypt API secrets on the device is akin to wrapping your ATM card in a Post-It note with your PIN written on it,” Kelly said.
This is similar to reported issues of mistakenly leaked API keys in the past, says Yaniv Balmas, Vice President of Research at Salt Security, a Palo Alto, Calif.-based provider of API security.
But there is an important difference.
“The main difference between this case and most of the previous ones is that usually when an API key is left exposed the major risk is to the application/vendor – a good example for that will be AWS S3 API keys exposed on Github,” said Balmas.
“In this case however since users permit the mobile application to use their own Twitter accounts, the issue actually puts them at the same risk level as the application itself,” according to Balmas.
“This adds up to a long list of possible abuses and attack scenarios that are exposed due to the extensive growth of the API and SaaS domains. With such a huge growth rate, it is hard for security practitioners to keep up to speed - and I wouldn’t be surprised if we see more of these and other types of vulnerabilities emerge in the near future.”
- State of API Security: Steep growth in API Attack Traffic
- APIs and Machine Identity: What You Need to Know
- Corsha Improves API Security as Part of Venafi’s Machine Identity Management Development Fund
*CloudSEK inspected the mobile apps uploaded to its BeVigil security search engine for mobile apps.