Twitter, GitHub, AWS… your account keys are leaking from thousands of apps

Hacking online accounts such as Twitter user accounts is common. As a general rule, we advise Internet users to make their password very strong and enable two-factor authentication to minimize the risks. However, we must not ignore another big danger that users too often underestimate: third-party applications connected to your account.

In their report, CloudSEK researchers report that 3,207 mobile apps leak all or part of Twitter API keys. The problem is that these software keys can allow you to take control of your Twitter account without even knowing your username or password. These keys and access tokens generated for each application also allow you to bypass two-factor authentication.

How vulnerabilities in over 3,200 mobile apps help hackers steal your Twitter account (and more)

According to CloudSEK, this technique is actively used by hackers, especially those who are trying to create huge botnets for large-scale attacks, as well as for effective disinformation campaigns. The firm explains that the hackers are likely to integrate all collected keys and tokens into a program that allows malware to be distributed in bulk through verified Twitter accounts.

CloudSEK researchers say that in addition to Twitter, many applications are being leaked from other API keys and access tokens, including GitHub, Amazon Web Services (AWS), HubSpot and Razorpay. The researchers give developers some tips on how to fix these sensitive data leaks. Like the fact of using variables instead of directly using that data.

Read also – Twitter – Hacked data of 5.4 million users for sale, does it bother you?

For their part, users are encouraged to regularly review the list of apps associated with their Twitter account (and their other online accounts). On Twitter, you need to go to Settings > Security > Apps & Sessions > Connected Apps. Feel free to uninstall any app you don’t use or don’t know about. In the worst case, the app in question will ask you to link your account again.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker.