Bot army risk as 3,000+ apps found spilling Twitter API keys

Please stop leaving credentials where miscreants can find them

Want to build your own army? Engineers at CloudSEK have published a report on how to do just that in terms of bots and Twitter, thanks to API keys leaking from applications.

Researchers at the company say they've uncovered 3,207 apps leaking Twitter API keys, which can be used to gain access to or even entirely take over Twitter accounts.

Twitter helpfully exposes an API to allow developers access to the microblogging platform. With it, developers can use features such as reading and sending tweets and direct messages, following and unfollowing users and so on. It has proven controversial on occasion and most recently Elon Musk's legal team complained about API rate limits. Basically, Musk's claim was that he couldn't ascertain how many Twitter accounts were run by bots or are otherwise inauthentic.

That same API has proven a boon to developers whose jobs are made easier by the functionality, although they are also an occasional irritation to users (when, for example, certain games add recent scores to users' Twitter timelines.)

Who would need a bot army?

The API is, however, not really the problem. The issue is the authentication keys given to developers for API access and how those keys are stored. And yes, according to the security house, the keys are sometimes stored in an accessible fashion within the code. The example of developing a mobile application was given, where the API was used for testing and the credentials then saved within the app. Then, as the app moved to production, the keys were not removed. Miscreants could simply download the app, decompile it and get hold of the API keys.

"Thus, from here bulk API keys and tokens can be harvested to prepare the Twitter bot army," said the researchers.

And as for what one could do with such an army? Scenarios posited by CloudSEK included spreading misinformation, firing off malware attacks from supposedly trusted accounts, spamming and the inevitable phishing.

Of the 3,207 leaky apps, 57 had premium or enterprise subscriptions to the Twitter API (costing $149/month according to researchers) and some of the leaked credentials belonged to verified Twitter accounts. 230 were leaking enough credentials to permit a full account takeover.

What can be done? The answer is simply good practice. While perhaps not very fashionable in the modern development world, CloudSEK recommends proper versioning replete with code reviews and approval. Keys should be rotated and hiding them in variables is recommended.

"Adequate care," researchers wrote, "should be taken to ensure that files containing environment variables in the source code are not included."

While leaving secrets in the code might seem like an amusing anecdote for our weekly Who, Me? column (where Register readers confess to messes they made in the pursuit of IT excellence), the report is evidence that shoddy coding practices are alive and well and can have potentially disastrous consequences for the organizations and accounts affected. ®

Send us news

Twitter whistleblower Zatko disses bird site as dysfunctional data dump

Mudge tells senators his former bosses are 'terrified' of the French, US regulators are toothless

Twitter datacenter melted down in Labor Day heat

Bitbarn suffered 'total shutdown' after 113F heatwave

Twitter savaged by former security boss Mudge in whistleblower complaint

Loose access to production systems, out of date software, and more claimed

Elon Musk tells Twitter: My takeover deal is back on

World's richest man wants to kill trial – and presumably end more text message embarrassment

Pentagon is far too tight with its security bug bounties

But overpriced, useless fighter jets? That's something we can get behind

What's Microsoft been up to? A quick tour of Windows 11 22H2's security features

And some requirements to be aware of

Gone in a day: Ethical hackers say it would take mere hours to empty your network

300 red teamers walk into a bar…

Uber explains how it was pwned this month, points finger at Lapsus$ gang

From annoying MFA alerts to 'several internal systems' infiltrated

Don't mind Facebook, just putting its own browser in its Android app

Totally not for data collection

Between ransomware and month-long engagements, IR teams need a hug – and a nap

Here's what 1,100 incident responders say about their jobs, just in time for NSCAM

Matrix chat encryption sunk by five now-patched holes

You take the green pill, you'll spend six hours in a 'don't roll your own crypto' debate

Here's how crooks will use deepfakes to scam your biz

Need some tools of deception? GitHub's got 'em