Researchers have uncovered a list of 3,207 mobile apps that are exposing Twitter API keys in the clear, some of which can be utilized to gain unauthorized access to Twitter accounts associated with them.
The takeover is made possible, thanks to a leak of legitimate Consumer Key and Consumer Secret information, respectively, Singapore-based cybersecurity firm CloudSEK said in a report exclusively shared with The Hacker News.
"Out of 3,207, 230 apps are leaking all four authentication credentials and can be used to fully take over their Twitter Accounts and can perform any critical/sensitive actions," the researchers said.
This can range from reading direct messages to carrying out arbitrary actions such as retweeting, liking and deleting tweets, following any account, removing followers, accessing account settings, and even changing the account profile picture.
Access to the Twitter API requires generating secret keys and access tokens, which act as the usernames and passwords for the apps as well as the users on whose behalf the API requests will be made.
A malicious actor in possession of this information can, therefore, create a Twitter bot army that could be potentially leveraged to spread mis/disinformation on the social media platform.
"When multiple account takeovers can be utilized to sing the same tune in tandem, it only reiterates the message that needs to get disbursed," the researchers noted.
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
What's more, in a hypothetical scenario explained by CloudSEK, the API keys and tokens harvested from the mobile apps can be embedded in a program to run large-scale malware campaigns through verified accounts to target their followers.
Added to the concern, it should be noted that the key leak is not limited to Twitter APIs alone. In the past, CloudSEK researchers have uncovered the secret keys for GitHub, AWS, HubSpot, and Razorpay accounts from unprotected mobile apps.
To mitigate such attacks, it's recommended to review code for directly hard-coded API keys, while also periodically rotating keys to help reduce probable risks incurred from a leak.
"Variables in an environment are alternate means to refer to keys and disguise them apart from not embedding them in the source file," the researchers said.
"Variables save time and increase security. Adequate care should be taken to ensure that files containing environment variables in the source code are not included."