Researchers have discovered nearly 3,200 mobile apps that had leaked Twitter API access keys
Researchers have found a list of 3,207 mobile apps that explicitly display the Twitter API's keys, some of which can be used to gain unauthorized access to the accounts of all Twitter users associated with them.
Singapore-based cybersecurity firm CloudSEK said in a report that the takeover of Twitter accounts linked to the apps was made possible by the leak of legitimate information about the apps' private passwords.
Out of 3207, 230 apps leak the Twitter API's four authentication credentials and can be used to take full control of users Twitter accounts who have given access to the apps. Executing sensitive actions such as posting tweets on their behaif.
You can read private messages and perform arbitrary actions such as retweeting, liking and deleting tweets, following any account, removing followers, accessing account settings, and even changing an account's profile picture.
Access to the Twitter Developer Interface API requires the generation of secret keys and access tokens, which work as usernames and passwords for applications as well as the users on whose behalf API requests will be sent.
Thus, whoever gets these keys can create a bot army on Twitter, and can take advantage of it to spread false/misleading information on the social media platform. For example, spreading false news on Twitter by controlling user accounts as long as the person has the keys to access these applications.
API keys and tokens collected from mobile apps can also be embedded in a program to run large-scale malware campaigns through authentic Twitter users accounts (real accounts) to target their followers.
It should be noted that key leakage is not limited to Twitter APIs alone. In the past, CloudSEK researchers discovered secret keys to GitHub, AWS, HubSpot, and Razorpay accounts from unprotected mobile apps
To mitigate such attacks, it is recommended that you review the code of the encrypted Twitter application keys directly, while also rotating the keys periodically to help reduce potential risks from a leak.
Access keys should also not be included within application resource files.