Bengaluru, NFAPost: CloudSEK’s BeVigil, the World’s first security search engine for mobile apps, uncovered 3207 apps, leaking Twitter API keys, that can be utilized to take over Twitter accounts. 230 apps, some of which are unicorns, were leaking all 4 Auth Creds (Consumer Key + Consumer Secret + Access Token + Access Secret) and these can be used to fully take over their Twitter Accounts to perform critical/sensitive actions such as Read Direct Messages, Retweet, Like, Delete, Remove followers, Follow any account, Get account settings, Change display picture, etc.
Twitter, is one such major social networking site, where its handles can be easily used to disseminate misinformation, thereby amplifying its reach. The flip side of this story is that scams and threats can be intricately weaved into this communication ploy, appearing to be legitimate. [full Report here]
As with any social networking site, the buck does not stop at mere networking. Twitter takes it one step further because it is the sole medium of news and information for many of its near 300 million user base. Hence, multiple account takeovers can be used to sing the same tune in tandem, reiterating the message that needs to be disbursed. The tools needed for a bot army are forged using Twitter endpoints and services such as APIs (Application Program Interface).
An army needs a large number of soldiers to prepare for an attack. In this case, they come from the vulnerabilities present in mobile applications. Often this vulnerability is the result of an error on the part of the developer. While developing a mobile application, developers use the Twitter API for testing. While doing so, they save the credentials within the mobile.
Sometimes, these credentials are not removed before deploying it in the production environment. Once the app gets uploaded to the play store, the API secrets are there for anyone to access. A hacker can simply download the app and decompile it to get the API credentials. Thus, bulk API keys and tokens can be harvested to prepare the Twitter bot army that could be potentially leveraged to spread mis/disinformation on the social media platform.
The takeover is made possible, thanks to a leak of legitimate Consumer Key and Consumer Secret information. Access to the Twitter API requires generating secret keys and access tokens, which act as the usernames and passwords for the apps as well as the users on whose behalf the API requests will be made.
Researchers at CloudSEK inspected the mobile apps uploaded to BeVigil and observed that:
● 5603 companies were leaking Twitter API Keys/Tokens
● 5033 companies were leaking the Twitter Secrets/Token Secret only
● 4810 companies were leaking both the Twitter API Keys/Tokens and the Twitter Secrets/Token Secret
Out of 4810, 3207 companies had both the keys as valid ones. 57 of these companies had premium or enterprise subscriptions to the Twitter API, for which they were paying USD 149/month to Twitter.
Added to the concern, it should be noted that the key leak is not limited to Twitter APIs alone. In the past, CloudSEK researchers have uncovered the secret keys for GitHub, AWS, HubSpot, and Razorpay accounts from unprotected mobile apps. To help such vendors proactively prevent such leaks, CloudSEK launched its Secrets Scanning Partner Program which alerts them if their keys are leaking.
It is imperative that API keys are not directly embedded in the code. Developers should also follow secure coding and deployment processes such as Standardizing Review Procedures, Hiding Keys, Rotate API keys, etc.
It is equally critical for organizations to secure their social media data and prevent their verified handles from being used to spread misinformation. And this can be done by ensuring securing coding and deployment policies, in addition to using tools like BeVigil to scan for exposed keys and credentials.
About CloudSEK:
Singapore headquartered CloudSEK is a contextual AI (Artificial Intelligence) company, founded in 2015, by cybersecurity expert Rahul Sasi, with the aim to construct a future where intelligent machines can emulate human cognition to predict cyber threats even before they occur.
CloudSEK’s central proposition is to leverage AI to build a rapid and reliable detection, analysis, and alert system that offers swift detection across internet sources, precision analysis of threats, and prompt resolution with minimal human intervention.
CloudSEK offers the power of Cyber Crime monitoring, Brand Monitoring, Attack Surface monitoring, and Supply Chain Intelligence to give context to customers’ digital risks. CloudSEK’s single unified dashboard allows customers to triage and visualize all their digital threats in one place. CloudSEK also offers workflows and integrations to manage and remediate the identified threats. To learn more about CloudSEK, visit www.cloudsek.com.