Twitter account hijackings made possible by mistake in 3,200 mobile applications

Security researchers have discovered developer error in more than 3,200 mobile apps, making full or partial Twitter account hijackings possible.

In the worst examples, affecting around 320 applications, it allows an attacker to take full control of a Twitter account…

This would allow them to do all of the following:

  • Read direct messages
  • Retweet
  • As
  • Wipe off
  • Delete subscribers
  • Follow any account
  • Get account settings
  • Change display image

The good news is that the accounts that can be hacked are those that belong to the app developer, rather than the user, but the cybersecurity firm says this creates the danger of an army of bots using accounts Twitter often highly publicized and verified to spread. disinformation.

The army of Twitter bots that we are going to try to create can fight any war for you. But perhaps the most dangerous is the disinformation war, on the Internet, fueled by bots. Time Berners-Lee, the founding father of the internet, said it’s too easy for misinformation to spread because most people get their information from a small set of social media sites and search engines. searchers who earn money by clicking on links. These sites’ algorithms often prioritize content based on what people are likely to engage with, which means fake news can “spread like wildfire”.

Another risk is that the accounts are used to promote scams, like the cryptocurrency ones prevalent on Twitter.

Yet another is the potential disclosure of sensitive information through attackers with access to direct messages.

beeping computer explains how the problem arose.

When integrating mobile apps with Twitter, developers will receive special authentication keys, or tokens, that allow their mobile apps to interact with the Twitter API. When a user associates their Twitter account with this mobile app, the keys will also enable the app to act on the user’s behalf, such as logging in via Twitter, creating tweets, sending DMs, etc. .

As access to these authentication keys could allow anyone to perform actions as associated Twitter users, it is never recommended to store the keys directly in a mobile application where hackers can to find.

CloudSEK explains that leaking of API keys is usually the result of errors by app developers who embed their authentication keys into the Twitter API but forget to delete them when exiting mobile.

Affected apps include some extremely popular ones, with millions of users. The names of the apps weren’t disclosed, as most developers still haven’t fixed the issue a month after CloudSEK alerted them. One app was named – Ford Events – because the Ford Motor Company updated the app to remove identifying information.

Photo: Joshua Hoehne/Unsplash

FTC: We use revenue-generating automatic affiliate links. After.

Check out 9to5Mac on YouTube for more Apple news:

Casey J. Nelson