On Monday researchers from CloudSEK reported 3,207 applications that leaked Twitter Application Programming Interface (API) keys. These API keys allow the holder to perform actions on the behalf of the account, such as reading direct messages, liking and retweeting tweets, following other accounts, and altering account settings. With applications leaking API keys, an attacker could easily acquire control of large numbers of accounts to increase the effectiveness of a campaign.
Twitter has historically been abused for several social engineering attacks. Primarily, exploited accounts are used in phishing campaigns to add credibility to the attacks. More recently, however, misinformation campaigns have taken hold, and large numbers of hijacked accounts operate as bots spreading misinformation.
For social media sites like Twitter, companies’ primary risk of damage is reputational; an attacker can effectively hijack an account without needing the password or any Multi-Factor Authentication (MFA). However, services such as AWS or GitHub also have API functionality, and the damages to leaked keys there include data leakage, including intellectual property, and control over cloud services. Companies should therefore periodically rotate their API keys to reduce the likelihood that a leaked key is still valid. Companies should also review any code that is being written that leverages APIs, to ensure that the work does not have the API keys hard-coded or otherwise obfuscated within the code itself.