Thousands of mobile apps are leaking Twitter API keys – some of which give attackers a way to access or take over the Twitter accounts of users of these applications and build a bot army to spread disinformation, spam, and malware through the social media platform.
Researchers at India-based CloudSEK said they had identified a total of 3,207 mobile applications that were leaking valid Twitter Consumer Key and Secret Key information. About 230 of the applications also leaked OAuth access tokens and access secrets.
Together, the information gives attackers a way to access the Twitter accounts of the users of these applications and perform various actions. This includes reading messages; retweet, like or delete posts on behalf of the user; remove followers or follow new accounts; and go into account settings and do things like change the display image, CloudSEK said.
Application developer error
The vendor attributed the problem to application developers who have saved the authentication information in their mobile application during the development process so that they can interact with Twitter’s API. The API provides third-party developers with a way to embed Twitter functionality and data into their applications.
“For example, if a gaming app posts your highest score directly to your Twitter feed, it’s powered by the Twitter API,” CloudSEK said in a report of its findings. However, often developers fail to remove the authentication keys before uploading the app to a mobile app store, exposing Twitter users to an increased risk, the security vendor said.
“Uncovering an ‘all access’ API key is essentially giving away the front door keys,” said Scott Gerlach, co-founder and CSO at StackHawk, a provider of API security testing services. “You need to understand how to manage user access to an API and how to securely grant access to the API. If you don’t understand that, you’ve put yourself way behind the eight ball.”
CloudSEK has identified multiple ways for attackers to exploit the exposed API keys and token. By embedding them in a script, an adversary could potentially assemble a Twitter bot army to spread disinformation on a large scale. “Multiple account takeovers can be used to sing the same tune in succession, repeating the message to be paid out,” the researchers warned. Attackers can also use verified Twitter accounts to distribute malware, spam and conduct automated phishing attacks.
The Twitter API problem that CloudSEK identified resembles previously reported cases of secret API keys being accidentally leaked or exposed, said Yaniv Balmas, vice president of research at Salt Security. “The main difference between this case and most of the previous ones is that when an API key is exposed, the greatest risk is for the application/vendor.”
Take, for example, the AWS S3 API keys that appear on GitHub, he says. “However, in this case, since users allow the mobile application to use their own Twitter accounts, the issue essentially puts them at the same level of risk as the application itself.”
Such leaks of secret keys open the potential for many possible exploits and attack scenarios, Balmas says.
Peak Mobile/IoT Threats
CloudSEK’s report comes in the same week as a new Verizon report that highlighted a 22% year-over-year increase in major cyberattacks involving mobile and IoT devices. In the Verizon report, based on a survey of 632 IT and security professionals, 23% of respondents said their organization had experienced a major mobile security issue in the past 12 months. The survey revealed a high level of concern about threats to mobile security, particularly in the retail, financial, healthcare, manufacturing and public sectors. Verizon attributed the increase to the shift to remote and hybrid work over the past two years and the resulting explosion in the use of unattended home networks and personal devices to access company assets.
“Attacks against mobile devices — including targeted attacks — continue to increase, as does the proliferation of mobile devices to access corporate resources,” said Mike Riley, senior solutions specialist, enterprise security at Verizon Business. “Notably, the number of attacks is increasing year on year, with respondents reporting that the severity has increased along with the increase in the number of mobile/IoT devices.”
The biggest impact to organizations from attacks on mobile devices has been data loss and downtime, he adds.
Phishing campaigns targeting mobile devices have also skyrocketed in the past two years. Telemetry Lookout collected and analyzed from more than 200 million devices and 160 million apps showed that in 2021, 15% of business users and 47% of consumers experienced at least one mobile phishing attack in each quarter — an increase of 9 percent, respectively. % and 30% of the previous year.
“We need to look at security trends on mobile in the context of protecting data in the cloud,” said Hank Schless, senior manager of security solutions at Lookout. “Securing the mobile device is an important first step, but to fully secure your organization and its data, you need to be able to use mobile risk as one of the many signals that fuel your security policies for accessing data in the cloud, regardless premises and private apps.”