CIO News Hubb
Advertisement
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
CIO News Hubb
No Result
View All Result
Home Information Security

Researchers Discover Nearly 3,200 Mobile Apps Leaking Twitter API Keys

admin by admin
August 1, 2022
in Information Security


Researchers have uncovered a list of 3,207 apps, some of which can be utilized to gain unauthorized access to Twitter accounts.

The takeover is made possible, thanks to a leak of legitimate Consumer Key and Consumer Secret information, respectively, Singapore-based cybersecurity firm CloudSEK said in a report exclusively shared with The Hacker News.

“Out of 3,207, 230 apps are leaking all four authentication credentials and can be used to fully take over their Twitter Accounts and can perform any critical/sensitive actions,” the researchers said.

CyberSecurity

This can range from reading direct messages to carrying out arbitrary actions such as retweeting, liking and deleting tweets, following any account, removing followers, accessing account settings, and even changing the account profile picture.

Access to the Twitter API requires generating the Keys and Access Tokens, which act as the usernames and passwords for the apps as well as the users on whose behalf the API requests will be made.

A malicious actor in possession of this information can, therefore, create a Twitter bot army that could be potentially leveraged to spread mis/disinformation on the social media platform.

“When multiple account takeovers can be utilized to sing the same tune in tandem, it only reiterates the message that needs to get disbursed,” the researchers noted.

CyberSecurity

What’s more, in a hypothetical scenario explained by CloudSEK, the API keys and tokens harvested from the mobile apps can be embedded in a program to run large-scale malware campaigns through verified accounts to target their followers.

Added to the concern, it should be noted that the key leak is not limited to Twitter APIs alone. In the past, CloudSEK researchers have uncovered the secret keys for GitHub, AWS, HubSpot, and Razorpay accounts from unprotected mobile apps.

To mitigate such attacks, it’s recommended to review code for directly hard-coded API keys, while also periodically rotating keys to help reduce probable risks incurred from a leak.

“Variables in an environment are alternate means to refer to keys and disguise them apart from not embedding them in the source file,” the researchers said.

“Variables save time and increase security. Adequate care should be taken to ensure that files containing environment variables in the source code are not included.”





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
Previous Post

Prepare for a Hacking Incident

Next Post

ITSM Futures – Shifting from Short-term Problem Solving to Long-term Innovation

Related Posts

Information Security

New IoT RapperBot Malware Targeting Linux Servers via SSH Brute-Forcing Attack

by admin
August 7, 2022
Information Security

Spring 2022 PCI 3DS report now available

by admin
August 7, 2022
Information Security

Tech giants pledge self-regulation in NZ pact

by admin
August 7, 2022
Information Security

Hackers Exploit Twitter Vulnerability to Exposes 5.4 Million Accounts

by admin
August 6, 2022
Information Security

Class Action Targets Experian Over Account Security – Krebs on Security

by admin
August 6, 2022
Next Post

ITSM Futures – Shifting from Short-term Problem Solving to Long-term Innovation

Recommended

New IoT RapperBot Malware Targeting Linux Servers via SSH Brute-Forcing Attack

August 7, 2022

Spring 2022 PCI 3DS report now available

August 7, 2022

Tech giants pledge self-regulation in NZ pact

August 7, 2022

Will Oracle Save the Day with Its EHR database?

August 7, 2022

Illuminatecreativity

August 7, 2022

Hackers Exploit Twitter Vulnerability to Exposes 5.4 Million Accounts

August 6, 2022

© 2022 CIO News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy.

Navigate Site

  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

Newsletter Sign Up

No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

© 2022 JNews - Premium WordPress news & magazine theme by Jegtheme.