Tue | Aug 2, 2022 | 5:01 PM PDT

New research from security firm CloudSEK shows that more than 3,200 mobile applications were leaking Twitter API (Application Program Interface) keys, which can be used to gain access and take over user accounts.

The research highlights how these API keys could be used to create an army of Twitter bots and potentially wage some kind of misinformation war, something we have all probably grown a little too familiar with in the last few years.

Researchers learned that 3,207 apps were leaking valid Consumer Key and Consumer Secret information. Of those, 230 were leaking all four authorization credentials and could be used to fully take over Twitter accounts. Once taken over, threat actors could perform actions such as:

•  Read Direct Messages
•  Retweet
•  Like
•  Delete
•  Remove followers
•  Follow any account
•  Get account settings
•  Change display picture

CloudSEK asks in its report, "What all can go wrong with just a bunch of API keys and tokens?" Their response: everything.

What is Twitter API and why has it become an issue?

The Twitter API essentially allows developers to access the application's core functionalities like viewing and sending tweets, DMs, followers, etc. Twitter allows developers access so that they can create their own unique ways of embedding Twitter's data and functionality in their apps. 

CloudSEK uses the example of a gaming app that would post your high score directly to your Twitter feed, which is powered by the API.

The report explains in more detail:

"Since the Twitter API provides direct access to a Twitter account, there must be some form of authentication involved. Sending passwords with each request to the API is not an efficient and secure
method. Hence, OAuth tokens are used by the Twitter API. OAuth ('Open Authorization') is an open standard for access delegation, commonly used as a means to grant API access without using the
password each time. This standard is also used by Amazon, Google, Facebook, and Microsoft.

To understand it intuitively, suppose that you have the color red as your password. Now if you mix it with blue, you end up with purple color. Now when the app is presented with the color purple, it will know that red was involved too and hence it is valid. Similarly, you can make a new color combination and revoke a previous combination."

Along with OAuth, Twitter API also uses controls such as app-based authentication and user-based authentication.

Yaniv Balmas, Vice President of Research at Salt Security, shared his thoughts with SecureWorld News on the leaked Twitter API keys:

"The exposed Twitter API key issue adds up to many similar reported issues in the past in which secret API keys are mistakenly leaked, either in an opensource version of the software, in a publicly exposed resource, or within mobile application such as in this case.

The main difference between this case and most of the previous ones is that usually when an API key is left exposed, the major risk is to the application/vendor; a good example for that will be AWS S3 API keys exposed on Github. In this case, however, since users permit the mobile application to use their own Twitter accounts, the issue actually puts them at the same risk level as the application itself.

This adds up to a long list of possible abuses and attack scenarios that are exposed due to the extensive growth of the API and SaaS domains. With such a huge growth rate, it is hard for security practitioners to keep up to speed, and I wouldn't be surprised if we see more of these and other types of vulnerabilities emerge in the near future."

Using Twitter APIs to build a bot army

The report dives deep into how threat actors could use exposed Twitter API keys to build a bot army, or botnet, that could quickly spread misinformation. It starts with the obvious: an army requires a large number of soldiers to attack.

These soldiers come from vulnerabilities in mobile applications. These vulnerabilities are often the result of a developer error, where they might save credentials within the application during development but forget to remove them before deployment.

If the credentials are still there when it hits the app store, the API keys are there for the taking. All a threat actor would have to do is download the app and decompile it to get the API credentials. From there, bulk API keys and tokens can be taken to prepare a Twitter bot army.

Researchers provide four attack scenarios that could follow a situation like this:

Scenario 1:
Tweets and their subsequent retweets gain global attention. So, a Twitter bot army can be used to spread misinformation on any topic ranging from vaccines to elections, thereby affecting millions across the globe.

Scenario 2:
Twitter can be used to spearhead malware attacks through verified accounts passed on among legitimate followers. So, a Twitter bot army can run large-scale malware campaigns to infect systems, some of which could be critical infrastructure or SCADA systems.

Scenario 3:
Spamming is another way to reach a massive audience and disseminate information related to cryptocurrency or the stock market. So, a Twitter bot army can be used to inflate or deflate the value of a cryptocurrency or the stock value of a corporation.

Scenario 4:
Phishing is a strategy used by threat actors to obtain sensitive user information. And the collected PII can be used to launch other social engineering attacks or identity theft. So, a Twitter bot army automates phishing, on a large scale, to collect credentials. The trust that users have in verified accounts can be used to lure even the most educated of users.

Social media platforms have faced immense criticism, as they have been used to spread misinformation about important political topics, such as the 2020 U.S. elections, that can have serious real-world consequences.

CloudSEK has outlined one way to better defend against misinformation with this research. See the original report for more information.