More than 3,200 apps are leaking Twitter API keys, CloudSEK finds

2 Aug 2022

Image: © Jirapong/

CloudSek researchers said leaked API keys could be used to build a ‘bot army’ on Twitter to spread misinformation or malware through hijacked accounts.

Security researchers uncovered more than 3,200 apps leaking Twitter API keys, which can be used to gain access to or take over accounts.

Cybersecurity firm CloudSEK said these apps were found to be leaking valid consumer key and consumer secret API keys. Of these apps, 230 were leaking all four authentication credentials that can be used to fully take over a user’s Twitter account.

A report by the company said some of these apps are linked to unicorn companies.

A threat actor who gains access to a Twitter account in this way could perform actions such as reading direct messages, deleting tweets, accessing account settings, following other accounts, removing followers and changing the account profile picture.

An API, or application program interface, is generally used to extend an application’s data and functionality to other developers.

CloudSEK said that by offering its API, Twitter allows developers to create their own ways of embedding Twitter’s data and functionality into their applications.

“For example, if a gaming app posts your high score on your Twitter feed directly, it is powered by the Twitter API,” CloudSEK said in its report.

The report said an exposed API is often the result of a mistake by the developer, as they tend to use the API for testing and can fail to remove authentication credentials from accessible parts of the app before it is made public.

CloudSEK said that a malicious actor who has access to the Twitter API keys could use them to hijack accounts and create a “bot army”.

This army could include verified accounts with large numbers of followers, which could be used to spread misinformation, spearhead malware attacks, release large amounts of spam or conduct phishing campaigns.

The report said it is “imperative” that API keys are not directly embedded in apps and encouraged developers to follow secure coding and deployment processes to prevent these leaks from occurring.

According to BleepingComputer, most of the apps that are publicly exposing API keys have not addressed the issues noted by the CloudSEK report.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic