On Aug 1st, Cloud SEK, a well-known attack surface monitoring platform, published a report that says, “There are 3207 apps, leaking Twitter API keys, that can be utilized to gain access to or to take over Twitter accounts.” This sounds quite alarming, isn’t it? Just logging into Twitter, tweeting something interesting, and logging off is not enough. It is required to know how attackers take over Twitter accounts, why they do so, what are the implications of it, and finally, how to protect your Twitter account from such attacks. Let’s crackdown on each one of these questions and explore answers to them.
Well, there are several attacks attackers use to take over Twitter accounts, brute force, password spraying, a man in the middle, session hijack, and capturing the credentials either using a social engineering technique like phishing or a malware attack. However, we are not going to cover any of those in this post. Our focus is only on how do attackers take over Twitter accounts using Twitter API keys. If you don’t know much about the twitter APIs, read the below section.
In general, an API is an application programming interface. It is a set of rules that allow programs to interact with each other. The API defines how the software components should work together. APIs are used when developing applications that need to communicate with each other. For example, when you use a mobile app to book a hotel room, the app will use an API to send your request to the hotel’s booking system. The booking system will then use the API to confirm your reservation and send you a confirmation message.
In the same way, Twitter APIs offer applications that want to interact with Twitter in a number of ways. The API allows you to post tweets, search for tweets, Direct Messages, follow and unfollow users, view user information, etc. You can also use the API to access Twitter’s streaming API, which provides real-time access to tweets as they are posted.
To use the Twitter API, you will need to create a Twitter application. This can be done through the Twitter developer website. Once you have created your application, you will be given a Consumer Key and Consumer Secret. These keys are used to authenticate your application with Twitter.
Once you have created your application, you can begin using the Twitter API. The API is accessed via HTTP, and all requests must be authenticated with your Consumer Key and Consumer Secret. Twitter provides a number of API methods that can be used to interact with the platform.
In most cases, attackers capture Twitter API keys from applications on which developers forget to delete or remove the Twitter APIs keys before publishing applications on the play store. Developers use the Twitter API keys to test their applications during the development and later forget to delete them before they publish the apps on the play store. If developers leave the API keys in the applications, hackers will download the app and decompile it to get the API credentials. This is how attackers take over Twitter accounts using Twitter API keys.
They store the credentials at:
Locations where Twitter API Key are stored in applications
CloudSEK has conducted research, and as a result, they found 3207 apps leaking Twitter API keys that can be abused to take over Twitter accounts. 230 out of 3207 apps are unicorns, which were leaking all 4 Auth Creds and can be used to fully takeover Twitter accounts to perform actions such as:
Read Direct Messages
Retweet
Like
Delete
Remove followers
Follow any account
Get account settings
Change display picture
What Does Cloudsek’s Report Say
There could be many reasons that attackers want to hijack Twitter accounts. Some prominent are:
To spread false information on any subject, from vaccines to elections. Thereby impacting millions of people all over the world.
Spamming is another method to gain a large audience and provide information about cryptocurrencies or the stock market. So, a Twitter bot army may be used to artificially increase or reduce the value of a cryptocurrency or company’s stock.
Twitter may be used to launch malware attacks. As a result, a Twitter bot army can use large-scale malware campaigns to infect systems.
A variety of methods are utilized by cybercriminals to steal user information, including phishing. And the gathered personal information might be used to execute further social engineering assaults or identity theft. So, on a large scale, an army of Twitter bots automates phishing in order to gather credentials.
It is not possible for individuals to secure their Twitter APIs. This responsibility is on the developer’s shoulders. Developers should make sure that API keys are not directly embedded in the code and follow secure
coding and deployment processes such as:
Standardizing Review Procedures: Make sure you’re versioning correctly. Prior to versioning, the code base must be inspected, reviewed, and approved. Standardized procedures help to prevent significant exposures.
Hiding Keys: In an environment, variables are alternate ways to refer to keys while hiding them. Variables help save time and improve security. It’s a must to ensure that files with environment variables in the source code are not included,
Rotate API keys: Rotating keys can help reduce the threat posed by leaked keys. Unused keys reduce the severity of invalidation. It is recommended to rotate keys every six months as existing keys get deactivated while new ones get generated.
We hope this post would help you know how do attackers take over Twitter accounts, why they do so, what are the implications of it, and finally, how to protect your Twitter account from such attacks. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.