HITB-Invoice-Logo

thank you for joining us!

Building an Army of Bots by Hijacking a Unicorn’s Twitter Handle

Date

August 25, 2022

Time

12:00

Track

CommSec Track

Here’s how we got access to 3207 Twitter API Keys of different organizations ranging from small-scale startups to leading unicorns.

– First, we examined an unending number of Twitter API tokens and secrets being hardcoded into mobile applications by decompiling multiple apps and found that the leading use case was hardcoding Twitter Consumer Secret and Consumer Token to generate OAuth Credentials for performing Twitter API Calls.

– In that giant pool of tokens, we also discovered hardcoded Access tokens and Access tokens secrets. With these tokens, someone can make an app of their own to impersonate a legitimate organization which they can use to perform any critical/sensitive actions such as DM read, Retweet, Like, Delete, remove follower, follow any account, get account settings, change DP to our company logo, etc.

– Moreover, with the Combination of all the four Credentials, Customer Secret, Customer Token, Access Secret, and Access Token an attacker can get User and Application Based Authentication resulting in a total Take over of Twitter accounts and much more. We found 230 such applications. Scary, right?

– Multiple Apps were found leaking Premium and Enterprise Level Tokens, these are the tokens that require a 149$/month subscription to use Twitter Search Feature.

It’s not unusual for developers to hardcode sensitive information in their source code and then submit it to popular code-sharing platforms like GitHub. According to GitGuardian, 6 million hardcoded secrets will be discovered in 2021, with India being the leading source of leaks and an increase of 2 times compared to 2020. Considering that GitGuardian’s studies are limited to only public repositories hosted on GitHub or GitLab and not secrets being committed in private repositories or self-hosted git clients it is astounding that no directed research has been conducted to reveal the different use cases of these hardcoded tokens apart from version-control platforms.

Hence, in our study, we directly explore the source code of millions of mobile apps and find out these instances of leaks directly. In this talk, we plan on investigating the causes, impacts, and techniques that can be used to prevent such leaks. Further, we’ll be giving you a sneak peek into some of our exciting findings.

Screenshots

Speakers

Researcher

National University Singapore

Dr. Wang Kailong is currently a research fellow at National University of Singapore (NUS). He received his PhD degree from School of Computing NUS in 2022. He has worked as a Research Assistant in NUS while pursuing his PhD degree from 2016 to 2021. His research interests include mobile and web security and privacy, and protocol verification. His works have appeared in the top conferences such as WWW and MobiCom.

Co-Founder & CTO

Authomize

Mr. Gal Diskin is a cybersecurity and AI researcher. He was previously the VP & head of Palo Alto Networks’ Israeli site, and is a serial entrepreneur. Mr. Diskin’s research has been featured in HITB, Defcon, Black Hat, CCC, and other conferences, spanning fields from low level security research such as hardware vulnerabilities, binary instrumentation, and car hacking to high level research on AI detection methods, Enterprise security, and Identity security. Mr. Diskin was also the technical lead and co-founder of Intel’s software security organization, as well as the CTO of Cyvera and HeXponent (co-founder) before their acquisition.

Senior Security Researcher

Huajiang “Kevin2600” Chen (Twitter: @kevin2600) is a senior security researcher. He mainly focuses on vulnerability research in wireless and Vehicle security. He is a winner of GeekPwn 2020 and also made to the Tesla hall of fame 2021. Kevin2600 has spoken at various conferences including KCON; DEFCON and CANSECWEST.

Security Researcher

Li Siwei is a security researcher. He specializes in Big data analysis and AI Security.

Founder, CEO

CloudSEK

Rahul Sasi is an Indian entrepreneur, Founder of CloudSEK, and a security expert. He was voted as the top influential Cyber Security person in 2015, he has made a significant open source contribution to the security landscape and is an invited speaker to over 20+ countries. He is part of the working committees of RBI and MeitY.
CloudSEK : https://cloudsek.com/
LinkedIn: https://www.linkedin.com/in/fb1h2s/

Senior Security Engineer

CloudSEK

Vishal Singh is working as a Senior Security Engineer at CloudSEK. His main responsibility includes handling the Research & Development of CloudSEK ASM. He loves automating manual effort tasks, and also likes net surfing & exploring new places in his free time.

Other Talks in This Track

LOCATION

CommSec Track

DATE

August 26

TIME

16:30

LOCATION

CommSec Track

DATE

August 26

TIME

17:30

LOCATION

CommSec Track

DATE

August 26

TIME

12:00