Twitter API keys found leaked in over 3,200 apps, raising concerns for linked accounts

3,207 apps have been identified as exposing the application program interface (API) keys of linked Twitter accounts, which can be used by threat actors to take control of accounts and use them for malicious purposes.

Digital risk monitoring platform CloudSEK identified the threat using BeVirgil, their security search engine for mobile apps, and set out the details in a report. Of the 3,207 apps, 230 apps were leaking all four authentication credentials necessary to fully take over accounts, which can be accessed simply by downloading and decompiling each app.

Researchers stated that with the leaked keys, threat actors could access Twitter accounts and perform a range of actions such as read direct messages, retweet and like other tweets, delete tweets, remove or add followers and access account settings.

CloudSEK also outlined a scenario in which threat actors could use a ‘bot army’ of seized accounts to perform attacks such as widespread disinformation campaigns, having verified accounts post malware or phishing links, inflate or deflate stock with spam posts, or promote cryptocurrency.

Aside from the immediate cost to companies of recovering accounts, the potential for reputational damage as a result of the vulnerability is sizeable.

Verified accounts in particular are prized by threat actors for their perceived trustworthiness, but after widespread tweets containing malware or phishing links, customers might struggle to trust a company’s Twitter again.

57 of the apps had premium or enterprise subscriptions for Twitter API, which cost between $149 and $,2499 per month. Researchers indicated that the apps affected ranged in size from small to very large 'unicorns'.

APIs are used to extend the functionality of an app to other developers, allowing them to embed the app in novel ways within their own program through the use of an interface.

Twitter uses OAuth tokens to link user accounts through the API without the need for the user’s password each time, and the standard is similarly used by Google, Facebook and Microsoft.

Researchers advised app developers to avoid directly embedding API keys in the code, and to observe several practices such as standardised review procedures, hiding keys in variables, and rotating keys regularly.

Advisories have been sent to the respective developers. However, Bleeping Computer reports that CloudSEK has not received acknowledgement from many of the apps exposing keys that changes have been implemented to fix the vulnerabilities. As a result, researchers have held off from publishing app names, to prevent spreading live vulnerability information.

"Whilst the "hack" itself is enabled by sloppy coding practices it highlights a very important point," commented Michael Tanaka, chief commercial officer at security firm MIRACL.

"The attacker can only abuse the privileges that the user has given to the app. Users should always review and question the purpose of any requested privileges, and if there is any doubt, deny them."

IT Pro has approached CloudSEK for comment.

This article has been updated to include comment from Michael Tanaka.