In a report, CloudSEK researchers reveal that 3207 mobile applications leak all or part of the Twitter API keys. The problem is that these software keys can allow you to take control of your Twitter account without even knowing your username or password. These keys and access tokens generated for each application also make it possible to bypass two-factor authentication.
How Vulnerabilities in 3200+ Mobile Apps Help Hackers Steal Your Twitter Account (and More)
According to CloudSEK, the technique is actively used by hackers, especially those trying to create huge botnets to carry out large-scale attacks – as well as conduct effective disinformation campaigns. The firm explains that hackers are likely to integrate all the keys and tokens collected into a program allowing the massive spread of malware through verified Twitter accounts.
In addition to Twitter, CloudSEK researchers say many applications leak other API keys and access tokens, including those from GitHub, Amazon Web Services (AWS), HubSpot, and Razorpay. The researchers give several tips for developers to plug these sensitive data leaks. Like for example the fact of using variables instead of using this data directly.
For their part, users are invited to regularly review the list of applications connected to their Twitter account (and to their other online accounts). On Twitter, you have to go to the Settings > Security > Apps & Sessions > Connected Apps. Feel free to remove any app you don’t use or recognize. In the worst case, the application in question will ask you again to associate your account.