When a developer wants to integrate his app with Twitter, he receives special authentication keys or tokens. This paves the way for the app to interact with Twitter API. Then, any time a user connects his Twitter account to the developer’s app, the keys also will enable the app to act on behalf of the user. According to CloudSEK, the app developers made a huge mistake by embedding their authentication keys in the Twitter API. They also forgot to remove them once the app was released.
Bleeping Computer reports that 3,207 mobile apps are currently publishing Twitter API credentials. These keys might provide hackers access to user accounts. These days, Twitter is in the news because of its ongoing dispute with Elon Musk regarding the purchase of the firm. But in the midst of its legal battles, the social media network is exposed to a serious security risk. A genuine Consumer Key and Consumer Secret for the Twitter API are exposed by 3,207 apps, the cybersecurity firm CloudSEK claims in the research.
Highlights
Bleeping Computer says it has the full list of impacted applications that have between 50,000 and 5,000,000 downloads. Also, the apps range from transportation companions and radio tuners to book readers, event loggers, newspapers, e-banking apps, cycling GPS apps, and more.
CloudSEK says account hijackers can do almost everything with the account, including reading direct messages, liking and retweeting tweets, creating or deleting tweets, removing or adding new followers, changing account settings, or changing the pictures on the account. The cybersecurity firm also warns that account hijackers can create an army of verified Twitter accounts to promote fake news, malware campaigns, cryptocurrency scams, etc.
Most of the impacted applications claim they haven’t received the CloudSEK notices. Also, most of them still haven’t addressed the issues. The source did not disclose the names of the apps. However, it says Ford Motors was the only company that quickly responded and solved the issues on the “Ford Events” app.
