Threat actors could use API keys to access or take over Twitter accounts.
CloudSEK discovered 3,207 apps leaking API keys. 230 of them were leaking all four authentication credentials.
They could be used to perform critical actions, such as reading direct messages, retweeting, adding or removing followers, and changing account settings, among other things.
CloudSEK noted that there were some unicorns among those 230 apps.
Twitter API (Application Program Interface) enables access to the Twitter application. This allows a developer to access the core functionalities of Twitter, such as reading and sending Tweets, direct messages, and following and unfollowing users.
“By allowing access to their APIs, Twitter ensures that developers can come up with their own unique ways of embedding Twitter’s data and functionality in their applications. For example, if a gaming app posts your high score on your Twitter feed directly, it is powered by the Twitter API,” CloudSEK explained.
Should malicious actors get ahold of Twitter API keys, they could build a bot army. In fact, Cybernews recently ran a story about a white hat hacker who asked Twitter for API keys to experiment with bots. After Twitter denied him access, he demonstrated how easy it is to build a bot even without the API keys and got banned from social media.
Twitter bots might be used in a wide range of attacks.
“Tweets and their subsequent retweets gain global attention. So, a Twitter bot army can be used to spread misinformation on any topic ranging from vaccines to elections. Thereby affecting millions across the globe,” the CloudSEK report reads.
The company outlined more possible scenarios. For example, bots could be used to spread malware, disseminate information related to cryptocurrency or the stock market, and harvest personal information.
“Real-time information being the USP of social networking platforms such as Twitter, it is difficult to differentiate between truth and lies, both deliberate and accidental. Hence, it is important for social media platforms to ensure that they are not misused to spread misinformation,” CloudSEK concluded.
More from Cybernews:
Subscribe to our newsletter