Do you want to build your own army? CloudSEK engineers have published a report on how to do that in terms of bots and Twitter, thanks to the leakage of API keys from applications.
The company’s researchers say they have discovered 3,207 apps that leak Twitter API keys, which can be used to access or even take over Twitter accounts entirely.
Twitter conveniently exposes an API to give developers access to the microblogging platform. It allows developers to use features such as reading and sending tweets and direct messages, following and unfollowing users, and so on. It has occasionally proved controversial, and recently Elon Musk’s legal team complained about API limits. Musk’s claim was that he was unable to determine how many Twitter accounts were controlled by bots or were otherwise inauthentic.
That same API has proven to be a boon to developers whose work is made easier by its functionality, although it also occasionally annoys users (for example, when certain games add recent scores to users’ Twitter timelines).
Who would need a bot army?
However, the API is not really the problem. The problem is the authentication keys given to developers for API access and how those keys are stored. And yes, according to the security house, the keys are sometimes kept within the code in an accessible way. The example of developing a mobile application was given, where the API was used for testing and the credentials were then stored in the app. When the app went into production, the keys were not deleted. Misfits can easily download the app, decompile it and get hold of the API keys.
“From here, bulk API keys and tokens can be collected to prepare the Twitter bot army,” the researchers said.
And what could one do with such an army? Scenarios put forward by CloudSEK included spreading misinformation, firing malware attacks from supposedly trusted accounts, spamming and the inevitable phishing.
Of the 3,207 leaked apps, 57 had premium or enterprise subscriptions to the Twitter API (which researchers say costs $149/month), and some of the leaked credentials belonged to verified Twitter accounts. 230 leaked enough credentials to allow a full account takeover.
What can be done? The answer is just good habit. While it may not be very fashionable in the modern development world, CloudSEK recommends proper versioning, packed with code reviews and approval. Keys must be rotated and it is recommended to hide them in variables.
“Adequate care,” researchers wrote, “should be taken to ensure that files containing environment variables are not included in the source code.”
While leaving secrets in the code may seem like a funny anecdote to our weekly magazine Who, Me? column (where Registry readers confess to making a mess in the pursuit of IT excellence), the report is proof that shoddy coding practices are alive and well, potentially having disastrous consequences for the organizations and accounts involved. ®