CloudSEK researchers have found 3,207 mobile applications leaking valid Twitter application programming interface (API) keys and tokens, allowing attackers to hijack compromised accounts.
The affected applications include banking apps, event loggers, city transportation companions, radio tuners, book readers and GPS cycling trackers, BleepingComputer reported.
CloudSEK reportedly disclosed the vulnerabilities to the relevant companies a month ago, but most have not addressed the issues.
With a hijacked account, attackers can read direct messages, access account settings, remove followers, retweet, like, and delete posts.
By hijacking verified accounts, attackers can create bot armies to run large-scale malware campaigns and spread misinformation.
These bot armies are also often used to automate phishing and cryptocurrency scams.
The researchers said attackers use verified Twitter accounts to lend credence to the scams.
CloudSEK’s security search engine for mobile applications, BeVigil, discovered that 3,207 applications were leaking valid Consumer Keys and Consumer Secrets for the Twitter API.
The Twitter API allows developers to integrate their applications with Twitter’s core functionalities.
“[Twitter’s API] ensures that developers can come up with their own unique ways of embedding Twitter’s data and functionality in their applications,” CloudSEK said.
The researchers said the vulnerability exists because developers save the API keys and tokens within the mobile application.
“Sometimes, these credentials are not removed before deploying it in the production environment. Once the app gets uploaded to the play store, the API secrets are there for anyone to access.”
“Some of the leaked credentials belonged to verified Twitter accounts,” CloudSEK said.
CloudSEK has recommended that developers follow secure coding and deployment processes like hiding and rotating authentication keys and ensuring accurate versioning.
“It is imperative that API keys are not directly embedded in the code,” the researchers said.