Mobile apps should always be given the once-over before using to ensure they respect privacy and take security seriously, but Twitter users will want to pay special attention to apps they link their accounts to. A new study from CloudSEK found that 3,200 of these apps that ask for user login information are leaking Twitter API keys that could be used for account hijacking and other types of attacks.
These Twitter API keys are just sitting in the app code, waiting for an attacker to look them up. And thus far just one app out of the thousands impacted is known to have patched the issue.
Account hijacking a possibility if Twitter users link credentials to vulnerable apps
The findings of this study will no doubt be of interest to threat actors, who have found a variety of uses for stolen Twitter accounts in recent years. While social media account hijacking may not be one of the highest priorities for criminals, there will always be a good amount interested in anything that is this easy to take advantage of. Stolen Twitter accounts can be used to pass malware to trusting followers, run crypto scams or become part of a propaganda or disinformation campaign.
The account hijacking danger is to users that allow other apps to access their Twitter login credentials, for the purpose of automatically posting updates to Twitter that are generated by the linked app. The vulnerability is caused by app developers that leave Twitter API keys that are used for testing in the app’s code; these are supposed to be scrubbed out before the app is released to the public, but as this new report demonstrates, there are at least 3,200 that forgot to do that.
The risk is not just to individual Twitter users, but to potentially tens of thousands of companies that make use of this sort of cross-account posting. Attackers could compromise thousands of accounts in a short amount of time to create a mass force of bots that could be leveraged for further attacks.
Code for mobile apps contain Twitter API keys that can open doors for attackers
The study did not name specific apps that are leaking Twitter API keys, but companies that use a centralized interface to post updates to multiple accounts via Open Authorization tokens should be particularly wary of the account hijacking possibilities here.
The Twitter API keys are not difficult to find in app code; the researchers simply searched four common locations in which developers place keys for testing. All an attacker has to do is decompile an app and check these usual locations to find them, so widespread exploitation of this vulnerability is anticipated.
However, not all of the apps are leaking the same amount of credentials. The researchers say only 230 are leaking Twitter API keys and associated components needed to fully take over an account. Others are leaking only pieces and select tokens that could allow an attacker to bypass authorization for some account functions, but not log into it and move freely within it.
The account hijacking vulnerability is also not isolated to a particular industry or type of mobile app. A broad variety are vulnerable, with the only shared commonality that they allow users to link Twitter accounts to them. The one app that was identified is the one that fixed the problem prior to the publication of the study, a promotional app from Ford motor company.