NewsOnline Security

Malicious Apps in 3K – Twitter API Keys at Risk

Cybercriminals have used social media platforms in their attacks in the past, and they were pretty successful in their attempts. Twitter, in particular, was used to spread phishing campaigns that targeted high-profile accounts. Now, the social media giant is in the spotlight as around 3,207 mobile apps are exposing Twitter API keys.

Having access to legitimate Consumer Key and Consumer Secret information allows the attackers to perform critical/sensitive actions. This is huge and very dangerous.

Technically, the apps themselves are not malicious, but it’s a mistake made by app developers. However, this mistake could be the account owner’s downfall. How are these apps leaking this data? How can attackers benefit from this? Find out below.

Twitter API Keys Leaked – One Mistake, Huge Breach

Twitter is a vast social media network, which brings us to how significant a breach could be if it occurs. We can never forget when the infamous MasterFred used Twitter along with Netflix and the likes to infect users.

This time around, the breach is not related to Twitter directly, but it’s the one affected by it. Thousands of applications are leaking API keys, which allows cybercriminals and threat actors to hijack accounts.

As the title of this section states, this is all due to a mistake made by the developers. Instead of using API key rotation to protect such authentication keys, they’re embedding them in the Twitter API but forgetting to remove them when the mobile is released.

According to cybersecurity firm CloudSEK, the following locations are where the information is stored in these cases:

  • resources/res/values/strings.xml
  • source/resources/res/values-es-rAR/strings.xml
  • source/resources/res/values-es-rCO/strings.xml
  • source/sources/com/app-name/

Alright, but the most critical question is: What can any threat actor who gets his hands on the keys do? Well, a lot:

  • Post and delete tweets.
  • Add/remove users.
  • Full access to account settings.
  • Change/add display picture.
  • Access to direct messages.
  • Perform retweets and likes

The applications, collectively, consist of around 3200 apps. However, the download number is scary as it goes between 50,000 and 5,000,000 downloads.

Not only that, but the danger also lies in how popular these apps are. Anyone could download them as they represent vital practices and popular activities.

The apps include radio tuners, book readers, event loggers, city transportation companions, newspapers, e-banking apps, cycling GPS apps, and more.

Twitter API Keys Leaked – The Big Picture

Having full access to a Twitter account can be very dangerous. However, the practices mentioned above are nothing compared to if someone managed to get their hands on a verified account.

High-profile and verified accounts have a lot of followers. If threat actors access that, they can easily create a Twitter army to promote fake news, malware campaigns, cryptocurrency scams, etc.

If you notice irregular activity on your Twitter account, change your password and activate Two-Factor Authentication. This is big, so take proper precautions.

Jonathan Beesly

Jonathan is the main author at He regularly publishes posts that aim to introduce better cyber-security practices to the masses.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Articles

Back to top button