Over 3200 Apps Expose Twitter API Keys

Twitter API keys
Written by Emma Davis

Security firm CloudSEK has identified 3,207 mobile apps that expose Twitter API keys to the public, allowing attackers to take over Twitter user accounts associated with those apps.

By the way, we also wrote that Apps that spread AlienBot and MRAT malware found on Google Play, and also that Attackers Hack into Accounts Posing as Verified Twitter Accounts.

Twitter API keys

CloudSEK analysts targeted large numbers of applications looking for potential data breaches and as a result discovered thousands of valid Consumer Keys and Consumer Secrets for the Twitter API.

The fact is that when integrating mobile applications with Twitter, developers are provided with special authentication keys or tokens that allow their applications to interact with the Twitter API. When a user links their Twitter account to such a mobile app, the keys give the app the ability to act on the user’s behalf, such as logging in with Twitter, tweeting, sending private messages, and so on. For this reason, it is strongly discouraged to store the keys directly in the application, where outsiders can get to them.

CloudSEK explains that leaked API keys are usually the result of a mistake or oversight by developers who forget to delete them before a product is released. In these cases, the credentials are usually stored in the following locations:

  1. resources/res/values/strings.xml
  2. source/resources/res/values-es-rAR/strings.xml
  3. source/resources/res/values-es-rCO/strings.xml
  4. source/sources/com/app-name/BuildConfig.java

One of the most obvious abuse scenarios for such keys is the creation of an army of verified accounts on Twitter with large followings to promote fake news and malware campaigns, cryptocurrency scams, and so on.

The Bleeping Computer, with which analysts shared a list of problematic applications, reports that these applications have between 50,000 and 5,000,000 downloads and are related to urban transport, reading books, newspapers, electronic banking, GPS bike trackers and so on.

Unfortunately, most of the developers who leaked API keys did not contact CloudSEK even a month after receiving the warnings, and in most applications the problems were not fixed. For this reason, researchers and journalists do not disclose the names of vulnerable products, because they can still be used to take over other people’s Twitter accounts.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply