Researchers Discover Nearly 3,200 Mobile Apps Leaking Twitter API Keys

2022-08-02 06:41

Researchers have uncovered a list of 3,207 apps, some of which can be utilized to gain unauthorized access to Twitter accounts.

"Out of 3,207, 230 apps are leaking all four authentication credentials and can be used to fully take over their Twitter Accounts and can perform any critical/sensitive actions," the researchers said.

What's more, in a hypothetical scenario explained by CloudSEK, the API keys and tokens harvested from the mobile apps can be embedded in a program to run large-scale malware campaigns through verified accounts to target their followers.

In the past, CloudSEK researchers have uncovered the secret keys for GitHub, AWS, HubSpot, and Razorpay accounts from unprotected mobile apps.

To mitigate such attacks, it's recommended to review code for directly hard-coded API keys, while also periodically rotating keys to help reduce probable risks incurred from a leak.

"Variables in an environment are alternate means to refer to keys and disguise them apart from not embedding them in the source file," the researchers said.

News URL

https://thehackernews.com/2022/08/researchers-discover-nearly-3200-mobile.html

#API #mobile #researcher #twitter

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Twitter		6	1	7	1	0	9