Security researchers have discovered a developer error in more than 3,200 mobile apps, which make possible full or partial Twitter account hijacks.
In the worst examples, affecting around 320 apps, it enables an attacker to gain complete control of a Twitter account …
This would enable them to perform any and all of the following:
- Read direct messages
- Retweet
- Like
- Delete
- Remove followers
- Follow any account
- Get account settings
- Change display picture
The good news is that the accounts that can be hijacked are those belonging to the app developer, rather than the user, but cybersecurity company says that this creates the danger of a bot army using what are often high-profile and verified Twitter accounts to spread disinformation.
The Twitter bot army that we will try to create can fight any war for you. But perhaps the most dangerous one is the misinformation war, on the internet, powered by bots. Time Berners-Lee, the founding father of the internet said that it is too easy for misinformation to propagate because most people get their news from a small set of social media sites and search engines that make money from people clicking on links. These sites’ algorithms often prioritize content based on what people are likely to engage with, which means fake news can “spread like wildfire.”
Another risk is the accounts being used to promote scams, like the cryptocurrency ones prevalent on Twitter.
Yet another is the potential disclosure of sensitive information through attackers getting access to direct messages.
Bleeping Computer explains how the problem arose.
When integrating mobile apps with Twitter, developers will be given special authentication keys, or tokens, that allow their mobile apps to interact with the Twitter API. When a user associates their Twitter account with this mobile app, the keys also will enable the app to act on behalf of the user, such as logging them in via Twitter, creating tweets, sending DMs, etc.
As having access to these authentication keys could allow anyone to perform actions as associated Twitter users, it is never recommended to store keys directly in a mobile app where threat actors can find them.
CloudSEK explains that the leak of API keys is commonly the result of mistakes by app developers who embed their authentication keys in the Twitter API but forget to remove them when the mobile is released.
The apps affected include some extremely popular ones, with millions of users. The names of the apps have not been disclosed, as most developers still haven’t fixed the problem a full month after CloudSEK alerted them. One app has been named – Ford Events – as the Ford Motor Company updated the app to remove the credentials.
Photo: Joshua Hoehne/Unsplash
FTC: We use income earning auto affiliate links. More.