Want to build your own army? Engineers at CloudSEK have published a report on how to do just that in terms of bots and Twitter, thanks to API keys leaking from applications.
Researchers at the company say they’ve uncovered 3,207 apps leaking Twitter API keys, which can be used to gain access to or even entirely take over Twitter accounts.
Twitter helpfully exposes an API to allow developers access to the microblogging platform. With it, developers can use features such as reading and sending tweets and direct messages, following and unfollowing users and so on. It has proven controversial on occasion and most recently Elon Musk’s legal team complained about API rate limits. Basically, Musk’s claim was that he couldn’t ascertain how many Twitter accounts were run by bots or are otherwise inauthentic.
That same API has proven a boon to developers whose jobs are made easier by the functionality, although they are also an occasional irritation to users (when, for example, certain games add recent scores to users’ Twitter timelines.)
Who would need a bot army?
The API is, however, not really the problem. The issue is the authentication keys given to developers for API access and how those keys are stored. And yes, according to the security house, the keys are sometimes stored in an accessible fashion within the code. The example of developing a mobile application was given, where the API was used for testing and the credentials then saved within the app. Then, as the app moved to production, the keys were not removed. Miscreants could simply download the app, decompile it and get hold of the API keys.
“Thus, from here bulk API keys and tokens can be harvested to prepare the Twitter bot army,” said the researchers.
And as for what one could do with such an army? Scenarios posited by CloudSEK included spreading misinformation, firing off malware attacks from supposedly trusted accounts, spamming and the inevitable phishing.
Of the 3,207 leaky apps, 57 had premium or enterprise subscriptions to the Twitter API (costing $149/month according to researchers) and some of the leaked credentials belonged to verified Twitter accounts. 230 were leaking enough credentials to permit a full account takeover.
What can be done? The answer is simply good practice. While perhaps not very fashionable in the modern development world, CloudSEK recommends proper versioning replete with code reviews and approval. Keys should be rotated and hiding them in variables is recommended.
“Adequate care,” researchers wrote, “should be taken to ensure that files containing environment variables in the source code are not included.”
While leaving secrets in the code might seem like an amusing anecdote for our weekly Who, Me? column (where Register readers confess to messes they made in the pursuit of IT excellence), the report is evidence that shoddy coding practices are alive and well and can have potentially disastrous consequences for the organizations and accounts affected. ®