On Aug 1st, Cloud SEK, a well-known attack surface monitoring platform, published a report that says, “There are 3207 apps, leaking Twitter API keys, that can be utilized to gain access to or to take over Twitter accounts.” This sounds quite alarming, isn’t it? Just logging into Twitter, tweeting something interesting, and logging off is not enough. It is required to know how attackers take over Twitter accounts, why they do so, what are the implications of it, and finally, how to protect your Twitter account from such attacks. Let’s crackdown on each one of these questions and explore answers to them.
How Do Attackers Takeover Twitter Accounts?
Well, there are several attacks attackers use to take over Twitter accounts, brute force, password spraying, a man in the middle, session hijack, and capturing the credentials either using a social engineering technique like phishing or a malware attack. However, we are not going to cover any of those in this post. Our focus is only on how do attackers take over Twitter accounts using Twitter API keys. If you don’t know much about the twitter APIs, read the below section.
What Is Twitter API?
In general, an API is an application programming interface. It is a set of rules that allow programs to interact with each other. The API defines how the software components should work together. APIs are used when developing applications that need to communicate with each other. For example, when you use a mobile app to book a hotel room, the app will use an API to send your request to the hotel’s booking system. The booking system will then use the API to confirm your reservation and send you a confirmation message.
In the same way, Twitter APIs offer applications that want to interact with Twitter in a number of ways. The API allows you to post tweets, search for tweets, Direct Messages, follow and unfollow users, view user information, etc. You can also use the API to access Twitter’s streaming API, which provides real-time access to tweets as they are posted.
To use the Twitter API, you will need to create a Twitter application. This can be done through the Twitter developer website. Once you have created your application, you will be given a Consumer Key and Consumer Secret. These keys are used to authenticate your application with Twitter.
Once you have created your application, you can begin using the Twitter API. The API is accessed via HTTP, and all requests must be authenticated with your Consumer Key and Consumer Secret. Twitter provides a number of API methods that can be used to interact with the platform.
How Do Attackers Capture Twitter API Keys?
In most cases, attackers capture Twitter API keys from applications on which developers forget to delete or remove the Twitter APIs keys before publishing applications on the play store. Developers use the Twitter API keys to test their applications during the development and later forget to delete them before they publish the apps on the play store. If developers leave the API keys in the applications, hackers will download the app and decompile it to get the API credentials. This is how attackers take over Twitter accounts using Twitter API keys.
They store the credentials at:
What Does Cloudsek’s Report Say?
CloudSEK has conducted research, and as a result, they found 3207 apps leaking Twitter API keys that can be abused to take over Twitter accounts. 230 out of 3207 apps are unicorns, which were leaking all 4 Auth Creds and can be used to fully takeover Twitter accounts to perform actions such as:
- Read Direct Messages
- Remove followers
- Follow any account
- Get account settings
- Change display picture
Why Should Attackers Takeover Twitter Accounts?
There could be many reasons that attackers want to hijack Twitter accounts. Some prominent are:
- To spread false information on any subject, from vaccines to elections. Thereby impacting millions of people all over the world.
- Spamming is another method to gain a large audience and provide information about cryptocurrencies or the stock market. So, a Twitter bot army may be used to artificially increase or reduce the value of a cryptocurrency or company’s stock.
- Twitter may be used to launch malware attacks. As a result, a Twitter bot army can use large-scale malware campaigns to infect systems.
- A variety of methods are utilized by cybercriminals to steal user information, including phishing. And the gathered personal information might be used to execute further social engineering assaults or identity theft. So, on a large scale, an army of Twitter bots automates phishing in order to gather credentials.
How to Protect Your Twitter API Keys Be Stolen?
It is not possible for individuals to secure their Twitter APIs. This responsibility is on the developer’s shoulders. Developers should make sure that API keys are not directly embedded in the code and follow secure
coding and deployment processes such as:
- Standardizing Review Procedures: Make sure you’re versioning correctly. Prior to versioning, the code base must be inspected, reviewed, and approved. Standardized procedures help to prevent significant exposures.
- Hiding Keys: In an environment, variables are alternate ways to refer to keys while hiding them. Variables help save time and improve security. It’s a must to ensure that files with environment variables in the source code are not included,
- Rotate API keys: Rotating keys can help reduce the threat posed by leaked keys. Unused keys reduce the severity of invalidation. It is recommended to rotate keys every six months as existing keys get deactivated while new ones get generated.
We hope this post would help you know how do attackers take over Twitter accounts, why they do so, what are the implications of it, and finally, how to protect your Twitter account from such attacks. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.