Thousands of mobile apps are leaking Twitter API keys — some of which give adversaries a way to access or take over the Twitter accounts of users of these applications and assemble a bot army for spreading disinformation, spam, and malware via the social media platform.
Researchers from India-based CloudSEK said they had identified a total of 3,207 mobile applications leaking valid Twitter Consumer Key and Secret Key information. Some 230 of the applications were found leaking OAuth access tokens and access secrets as well.
Together, the information gives attackers a way to access the Twitter accounts of the users of these applications and carry out a variety of actions. This includes reading messages; retweeting, liking, or deleting messages on the user's behalf; removing followers or following new accounts; and going to account settings and doing things like changing the display picture, CloudSEK said.
Application Developer Error
The vendor attributed the issue to application developers saving the authentication credentials within their mobile application during the development process so they can interact with Twitter's API. The API gives third-party developers a way to embed Twitter's functionality and data into their applications.
"For example, if a gaming app posts your high score on your Twitter feed directly, it is powered by the Twitter API," CloudSEK said in a report on its findings. Often, though, developers fail to remove the authentication keys before uploading the app to a mobile app store, thereby exposing Twitter users to heightened risk, the security vendor said.
"Exposing an 'all access' API key is essentially giving away the keys to the front door," says Scott Gerlach, co-founder and CSO at StackHawk, a provider of API security testing services. "You have to understand how to manage user access to an API and how to securely provision access to the API. If you don't understand that, you have put yourself way behind the eight ball."
CloudSEK identified multiple ways that attackers can abuse the exposed API keys and token. By embedding them into a script, an adversary could potentially assemble a Twitter bot army to spread disinformation on a mass scale. "Multiple account takeovers can be used to sing the same tune in tandem, reiterating the message that needs to be disbursed," the researchers warned. Attackers also could use verified Twitter accounts to spread malware and spam and to carry out automated phishing attacks.
The Twitter API issue that CloudSEK identified is akin to previously reported instances of secret API keys being mistakenly leaked or exposed, says Yaniv Balmas, vice president of research at Salt Security. "The main difference between this case and most of the previous ones is that usually when an API key is left exposed, the major risk is to the application/vendor."
Take the AWS S3 API keys exposed on GitHub, for example, he says. "In this case, however, since users permit the mobile application to use their own Twitter accounts, the issue actually puts them at the same risk level as the application itself."
Such leaks of secret keys open up the potential for numerous possible abuses and attack scenarios, Balmas says.
Surge in Mobile/IoT Threats
CloudSEK's report comes the same week as a new report from Verizon that highlighted a 22% year-over-year increase in major cyberattacks involving mobile and IoT devices. Verizon's report, based on a survey of 632 IT and security professionals, had 23% of the respondents saying their organizations has experienced a major mobile security compromise in the past 12 months. The survey showed a high level of concern over mobile security threats especially in the retail, financial, healthcare, manufacturing, and public sectors. Verizon attributed the increase to the shift to remote and hybrid work over the past two years and the resulting explosion in the use of unmanaged home networks and personal devices to access enterprise assets.
"Attacks on mobile devices — including targeted attacks — continue to increase, as does the proliferation of mobile devices to access corporate resources," says Mike Riley, senior solution specialist, enterprise security at Verizon Business. "What stands out is the fact that attacks are up year-over-year, with respondents stating that the severity has grown along with the increase in the number of mobile/IoT devices."
The biggest impact for organizations from attacks on mobile devices was data loss and downtime, he adds.
Phishing campaigns targeting mobile devices have soared as well over the past two years. Telemetry that Lookout collected and analyzed from over 200 million devices and 160 million apps showed that 15% of enterprise users and 47% of consumers experienced at least one mobile phishing attack in each quarter in 2021 — a 9% and 30% increase, respectively, from the prior year.
"We need to look at security trends on mobile in the context of protecting data in the cloud," says Hank Schless, senior manager, security solutions at Lookout. "Securing the mobile device is an important first step, but to fully secure your organization and its data, you need to be able to use mobile risk as one of the many signals that feed your security policies for accessing data in cloud, on-prem, and private apps."