Millions of Twitter accounts could be at risk of attack due to these security flaws

Thousands of apps are leaking sensitive data

Twitter

Thousands of apps are leaking Twitter API keys, giving attackers the chance to completely take over those accounts, and use them for identity theft (opens in new tab) or other types of cyber-fraud.

The findings come courtesy of cybersecurity experts CloudSEK, which found a total of 3,207 mobile apps leaking valid Consumer Keys, as well as Consumer Secrets, for the Twitter API.

Various mobile apps offer integration with Twitter, allowing those apps to perform certain actions in the users’ stead. The integration is done through the Twitter API and with the help of Consumer Keys and Secrets. By leaking this type of data, the apps potentially allow threat actors to tweet things, send and read direct messages, or similar. In theory, CloudSEK explains, a threat actor could amass an “army” of Twitter endpoints (opens in new tab) that would promote a scam or a malware campaign by tweeting, retweeting, reaching out via DMs, etc.

Millions of downloads

The researchers said the apps in question include e-banking apps, city transportation apps, radio tuners, and similar, and have between 50,000 and five million downloads, each.

In other words, millions of Twitter accounts are most likely at risk.

All of the app owners have been notified, but most of them failed to even acknowledge being notified, let alone address the issue. Ford Motors is one of the companies that fixed the problem fast, on its Ford Events app, it was said.

> Twitter tightens grip on developers with new API restrictions (opens in new tab)

> Twitter’s new API brings new features, will be developer friendly (opens in new tab)

> These are the best identity management software right now (opens in new tab)

Until other apps fix the issue, the list of the apps will not be made public.

API leaks, the researchers added, are usually the result of errors in app development. Sometimes, developers will embed authentication keys in the Twitter API and later forget to remove them.

To prevent such leaks, CloudSEK recommends devs use API key rotation, which would render exposed keys invalid after some time.

Here are the free and paid options for the best firewall software (opens in new tab) to stay protected online

Via: BleepingComputer (opens in new tab)

Content Source

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Millions of Twitter accounts could be at risk of attack due to these security flaws

Millions of downloads

Read Next

Unleash your inner ninja with this limited-edition Naruto gaming collection

Pixel 7 ‘compact’ – AKA Pixel 7a – could be just over the horizon

This secret new Kindle Paperwhite model could be the best ereader on the market

Instacart’s new service lets you skip the checkout line with smart shopping cart

iOS 16: three game-changing Apple Music upgrades you need to know about

Nvidia RTX 4090 liveblog: what we expect to see at GTC 2022 By John Loeffler last updated 20 September 22 The highly anticipated Nvidia RTX 4090 announcement is less than a day away. Here's what we expect to see.

How to watch the Nvidia GeForce RTX announcement at GTC 2022

Unleash your inner ninja with this limited-edition Naruto gaming collection

Pixel 7 ‘compact’ – AKA Pixel 7a – could be just over the horizon

This secret new Kindle Paperwhite model could be the best ereader on the market

Instacart’s new service lets you skip the checkout line with smart shopping cart

iOS 16: three game-changing Apple Music upgrades you need to know about

Nvidia RTX 4090 liveblog: what we expect to see at GTC 2022 By John Loeffler last updated 20 September 22 The highly anticipated Nvidia RTX 4090 announcement is less than a day away. Here's what we expect to see.

How to watch the Nvidia GeForce RTX announcement at GTC 2022

Leave a Reply Cancel reply

Millions of downloads

Read Next

Unleash your inner ninja with this limited-edition Naruto gaming collection

Pixel 7 ‘compact’ – AKA Pixel 7a – could be just over the horizon

This secret new Kindle Paperwhite model could be the best ereader on the market

Instacart’s new service lets you skip the checkout line with smart shopping cart

iOS 16: three game-changing Apple Music upgrades you need to know about

Nvidia RTX 4090 liveblog: what we expect to see at GTC 2022 By John Loeffler last updated 20 September 22 The highly anticipated Nvidia RTX 4090 announcement is less than a day away. Here's what we expect to see.

How to watch the Nvidia GeForce RTX announcement at GTC 2022

TomKat MeDiA Developing Novels ‘Fateful Harvest’ And ‘The Death And Life Of Aida Hernandez’ For Film

Sundance Institute Launches New Annual Fellowship and Scholarship for AAPI Artists

Related Articles

Leave a Reply Cancel reply

Cookie Policy