Security News

Want to build your own army? Engineers at CloudSEK have published a report on how to do just that in terms of bots and Twitter, thanks to API keys leaking from applications. Researchers at the company say they've uncovered 3,207 apps leaking Twitter API keys, which can be used to gain access to or even entirely take over Twitter accounts.

Researchers have uncovered a list of 3,207 apps, some of which can be utilized to gain unauthorized access to Twitter accounts. "Out of 3,207, 230 apps are leaking all four authentication credentials and can be used to fully take over their Twitter Accounts and can perform any critical/sensitive actions," the researchers said.

Cybersecurity researchers have uncovered a set of 3,207 mobile apps that are exposing Twitter API keys to the public, potentially enabling a threat actor to take over users' Twitter accounts that are associated with the app. The discovery belongs to cybersecurity firm CloudSEK, which scrutinized large app sets for potential data leaks and found 3,207 leaking a valid Consumer Key and Consumer Secret for the Twitter API. When integrating mobile apps with Twitter, developers will be given special authentication keys, or tokens, that allow their mobile apps to interact with the Twitter API. When a user associates their Twitter account with this mobile app, the keys also will enable the app to act on behalf of the user, such as logging them in via Twitter, creating tweets, sending DMs, etc.

A new report from Osterman Research codifies the increasing dependence of businesses upon their mobile apps, and reveals a jarring disconnect between the strategic importance of apps versus the level of focus and resources applied to protect organizational apps against runtime threats. Poor visibility into security threats against mobile apps.

July may positively disrupt and adrenalize the old-fashioned Dynamic Application Security Scanning market, despite the coming holiday season. The pathbreaking innovation comes from ImmuniWeb, a global application security company, well known for, among other things, its free Community Edition that processes over 100,000 daily security scans of web and mobile apps.

While API gateways play a vital role in API management and API delivery, they provide a variety of core functionality for API security. It might be tempting to adhere to API gateway alone to meet security objectives.

The data suggests that large companies are particularly vulnerable to the security risks associated with exposed or unprotected APIs as these mature organizations accelerate digital transformation. The volume of APIs used by businesses is growing rapidly; nearly half of all businesses have between 50-500 deployed, either internally or publicly, while some have over a thousand active APIs.

An unpatched security issue in the Travis CI API has left tens of thousands of developers' user tokens exposed to potential attacks, effectively allowing threat actors to breach cloud infrastructures, make unauthorized code changes, and initiate supply chain attacks. The issue, previously reported in 2015 and 2019, is rooted in the fact that the API permits access to historical logs in cleartext format, enabling a malicious party to even "Fetch the logs that were previously unavailable via the API.".

What makes these attacks so interesting is how they are executed: unlike a traditional "Hack," an API attack doesn't hinge on there being something wrong with the API. Rather, attackers can legitimately use the way an API functions against it and can simply find out if it hasn't been developed securely through standard interaction. In some cases, the data used by the API has no user validation and is accessible to the public, while in other cases error messages return too much information, providing the attacker with more information on how to abuse the API. Defending against BOLA attacks requires the validation of all user privileges for all functions across the API. API authorization should be well defined in the API specification and random/unpredictable IDs.

Zyxel has released patches to address four security flaws affecting its firewall, AP Controller, and AP products to execute arbitrary operating system commands and steal select information. CVE-2022-26531 - Several input validation flaws in command line interface commands for some versions of firewall, AP controller, and AP devices that could be exploited to cause a system crash.