Bot army risk as 3,000+ apps found spilling Twitter API keys

Please stop leaving credentials where miscreants can find them

Want to build your own army? Engineers at CloudSEK have published a report on how to do just that in terms of bots and Twitter, thanks to API keys leaking from applications.

Researchers at the company say they've uncovered 3,207 apps leaking Twitter API keys, which can be used to gain access to or even entirely take over Twitter accounts.

Twitter helpfully exposes an API to allow developers access to the microblogging platform. With it, developers can use features such as reading and sending tweets and direct messages, following and unfollowing users and so on. It has proven controversial on occasion and most recently Elon Musk's legal team complained about API rate limits. Basically, Musk's claim was that he couldn't ascertain how many Twitter accounts were run by bots or are otherwise inauthentic.

That same API has proven a boon to developers whose jobs are made easier by the functionality, although they are also an occasional irritation to users (when, for example, certain games add recent scores to users' Twitter timelines.)

Who would need a bot army?

The API is, however, not really the problem. The issue is the authentication keys given to developers for API access and how those keys are stored. And yes, according to the security house, the keys are sometimes stored in an accessible fashion within the code. The example of developing a mobile application was given, where the API was used for testing and the credentials then saved within the app. Then, as the app moved to production, the keys were not removed. Miscreants could simply download the app, decompile it and get hold of the API keys.

"Thus, from here bulk API keys and tokens can be harvested to prepare the Twitter bot army," said the researchers.

And as for what one could do with such an army? Scenarios posited by CloudSEK included spreading misinformation, firing off malware attacks from supposedly trusted accounts, spamming and the inevitable phishing.

Of the 3,207 leaky apps, 57 had premium or enterprise subscriptions to the Twitter API (costing $149/month according to researchers) and some of the leaked credentials belonged to verified Twitter accounts. 230 were leaking enough credentials to permit a full account takeover.

What can be done? The answer is simply good practice. While perhaps not very fashionable in the modern development world, CloudSEK recommends proper versioning replete with code reviews and approval. Keys should be rotated and hiding them in variables is recommended.

"Adequate care," researchers wrote, "should be taken to ensure that files containing environment variables in the source code are not included."

While leaving secrets in the code might seem like an amusing anecdote for our weekly Who, Me? column (where Register readers confess to messes they made in the pursuit of IT excellence), the report is evidence that shoddy coding practices are alive and well and can have potentially disastrous consequences for the organizations and accounts affected. ®

Send us news

Twitter search spam campaign hides China riots, researchers say

Elon Musk meanwhile muses whether Apple 'hate[s] free speech in America' because the company mostly stopped advertising on Twitter

How do you solve the problem that is Twitter?

Technically and leadership-wise what site needs is stability

Twitter tries to lure brands back with spend-matching scheme

Spend $500k and we'll double your money, but please ignore the trolls

Twitter gives up fight against COVID-19 misinformation

Ex-moderation lead says he does not feel the platform is 'safe' under Musk

Elon Musk picks fight with Apple for slashing advertising spend on Twitter

CEO claims platform threatened with expulsion from App Store, asks if device maker hates free speech

Musk: Twitter will have 1 billion monthly users inside 18 months

Meanwhile reports say more ad buyers are staying away

Musk's Hotel California erected at Twitter HQ, as some offices converted into bedrooms

You can check out any time you like, and you can eventually leave. Right? Right?

Musk says spat with Apple over App Store ejection threat for Twitter was 'misunderstanding'

Lovely visit to meet Tim Cook at Apple Park HQ forces big change in tone from world's richest man

Elon Musk to abused Twitter users: Your tormentors are coming back

Promises restoration of suspended accounts, despite previous pledge to do no such thing

Google says Android runs better when covered in Rust

Banishing memory safety bugs cuts critical vulnerabilities

FBI warns about Cuba, no, not that one — the ransomware gang

Critical infrastructure attacks ramping up

Blockchain needs a reason to exist, Boris Johnson tells roomful of blockchain pros

As for Twitter, politicians need to grow thick skins and stop mistaking it for advertisement