Skip to main content

Twitter account hijacks made possible by security error in over 3,200 mobile apps

Security researchers have discovered a developer error in more than 3,200 mobile apps, which make possible full or partial Twitter account hijacks.

In the worst examples, affecting around 320 apps, it enables an attacker to gain complete control of a Twitter account …

This would enable them to perform any and all of the following:

  • Read direct messages
  • Retweet
  • Like
  • Delete
  • Remove followers
  • Follow any account
  • Get account settings
  • Change display picture 

The good news is that the accounts that can be hijacked are those belonging to the app developer, rather than the user, but cybersecurity company says that this creates the danger of a bot army using what are often high-profile and verified Twitter accounts to spread disinformation.

The Twitter bot army that we will try to create can fight any war for you. But perhaps the most dangerous one is the misinformation war, on the internet, powered by bots. Time Berners-Lee, the founding father of the internet said that it is too easy for misinformation to propagate because most people get their news from a small set of social media sites and search engines that make money from people clicking on links. These sites’ algorithms often prioritize content based on what people are likely to engage with, which means fake news can “spread like wildfire.”

Another risk is the accounts being used to promote scams, like the cryptocurrency ones prevalent on Twitter.

Yet another is the potential disclosure of sensitive information through attackers getting access to direct messages.

Bleeping Computer explains how the problem arose.

When integrating mobile apps with Twitter, developers will be given special authentication keys, or tokens, that allow their mobile apps to interact with the Twitter API. When a user associates their Twitter account with this mobile app, the keys also will enable the app to act on behalf of the user, such as logging them in via Twitter, creating tweets, sending DMs, etc.

As having access to these authentication keys could allow anyone to perform actions as associated Twitter users, it is never recommended to store keys directly in a mobile app where threat actors can find them.

CloudSEK explains that the leak of API keys is commonly the result of mistakes by app developers who embed their authentication keys in the Twitter API but forget to remove them when the mobile is released.

The apps affected include some extremely popular ones, with millions of users. The names of the apps have not been disclosed, as most developers still haven’t fixed the problem a full month after CloudSEK alerted them. One app has been named – Ford Events – as the Ford Motor Company updated the app to remove the credentials.

Photo: Joshua Hoehne/Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications