Search This Blog

Powered by Blogger.

Blog Archive

Labels

How Leaked Twitter API Keys Can be Used to Build a Bot Army

Twitter bot army could compromise to spread misinformation on the social media platform.
CloudSEK’s Attack Surface Monitoring Platform recently found a list of 3,207 mobile apps that are exposing Twitter API keys in the clear, some of the keys are being utilized to gain illegal commands on Twitter handles associated with them. 

CloudSEK reported that the takeover is made possible because of the leak of legitimate Consumer Key and Consumer Secret information Singapore-based cybersecurity firm.  

Additionally, cloudsek Attack Surface Monitoring Platform discovered that 3207 apps were leaking valid Consumer Key and Consumer Secret. 230 apps, some of which are unicorns, were leaking all 4 Auth Creds and can be used to fully take over their Twitter Accounts to perform critical/sensitive actions such as: 

• Read Direct Messages 
• Retweet 
• Like 
• Delete 
• Remove followers 
• Follow any account 
• Get account settings 
• Change display picture 

"Out of 3,207, 230 apps are leaking all four authentication credentials and can be used to fully take over their Twitter Accounts and can perform any critical/sensitive actions," the researchers said. 

To get access to the Twitter API, hackers have to generate secret keys and access tokens, which act as the usernames and passwords for the apps as well as the users on whose behalf the API requests will be made. Further, the researchers said, this can range from reading direct messages to carrying out arbitrary actions including retweeting, liking, and deleting tweets, removing followers, following any account, accessing account settings, and even changing the account profile picture. 

With access to this information, malicious actors can create a Twitter bot army that could compromise to spread misinformation on the social media platform. 

“The Twitter bot army that we will try to create can fight any war for you. But perhaps the most dangerous one is the misinformation war, on the internet, powered by bots. Time Berners-Lee, the founding father of the internet said that it is too easy for misinformation to propagate because most people get their news from a small set of social media sites and search engines that make money from people clicking on links. These sites’ algorithms often prioritize content based on what people are likely to engage with, which means fake news can “spread like wildfire”, CloudSEK reported.
Share it:

CloudSEK

Cyber Threats

Data Breach

Online data Theft

Twitter