Here’s how we got access to 3207 Twitter API Keys of different organizations ranging from small-scale startups to leading unicorns.
– First, we examined an unending number of Twitter API tokens and secrets being hardcoded into mobile applications by decompiling multiple apps and found that the leading use case was hardcoding Twitter Consumer Secret and Consumer Token to generate OAuth Credentials for performing Twitter API Calls.
– In that giant pool of tokens, we also discovered hardcoded Access tokens and Access tokens secrets. With these tokens, someone can make an app of their own to impersonate a legitimate organization which they can use to perform any critical/sensitive actions such as DM read, Retweet, Like, Delete, remove follower, follow any account, get account settings, change DP to our company logo, etc.
– Moreover, with the Combination of all the four Credentials, Customer Secret, Customer Token, Access Secret, and Access Token an attacker can get User and Application Based Authentication resulting in a total Take over of Twitter accounts and much more. We found 230 such applications. Scary, right?
– Multiple Apps were found leaking Premium and Enterprise Level Tokens, these are the tokens that require a 149$/month subscription to use Twitter Search Feature.
It’s not unusual for developers to hardcode sensitive information in their source code and then submit it to popular code-sharing platforms like GitHub. According to GitGuardian, 6 million hardcoded secrets will be discovered in 2021, with India being the leading source of leaks and an increase of 2 times compared to 2020. Considering that GitGuardian’s studies are limited to only public repositories hosted on GitHub or GitLab and not secrets being committed in private repositories or self-hosted git clients it is astounding that no directed research has been conducted to reveal the different use cases of these hardcoded tokens apart from version-control platforms.
Hence, in our study, we directly explore the source code of millions of mobile apps and find out these instances of leaks directly. In this talk, we plan on investigating the causes, impacts, and techniques that can be used to prevent such leaks. Further, we’ll be giving you a sneak peek into some of our exciting findings.