HITB-Invoice-Logo

thank you for joining us!

Building an Army of Bots by Hijacking a Unicorn’s Twitter Handle

Date

August 25, 2022

Time

12:00

Track

CommSec Track

Here’s how we got access to 3207 Twitter API Keys of different organizations ranging from small-scale startups to leading unicorns.

– First, we examined an unending number of Twitter API tokens and secrets being hardcoded into mobile applications by decompiling multiple apps and found that the leading use case was hardcoding Twitter Consumer Secret and Consumer Token to generate OAuth Credentials for performing Twitter API Calls.

– In that giant pool of tokens, we also discovered hardcoded Access tokens and Access tokens secrets. With these tokens, someone can make an app of their own to impersonate a legitimate organization which they can use to perform any critical/sensitive actions such as DM read, Retweet, Like, Delete, remove follower, follow any account, get account settings, change DP to our company logo, etc.

– Moreover, with the Combination of all the four Credentials, Customer Secret, Customer Token, Access Secret, and Access Token an attacker can get User and Application Based Authentication resulting in a total Take over of Twitter accounts and much more. We found 230 such applications. Scary, right?

– Multiple Apps were found leaking Premium and Enterprise Level Tokens, these are the tokens that require a 149$/month subscription to use Twitter Search Feature.

It’s not unusual for developers to hardcode sensitive information in their source code and then submit it to popular code-sharing platforms like GitHub. According to GitGuardian, 6 million hardcoded secrets will be discovered in 2021, with India being the leading source of leaks and an increase of 2 times compared to 2020. Considering that GitGuardian’s studies are limited to only public repositories hosted on GitHub or GitLab and not secrets being committed in private repositories or self-hosted git clients it is astounding that no directed research has been conducted to reveal the different use cases of these hardcoded tokens apart from version-control platforms.

Hence, in our study, we directly explore the source code of millions of mobile apps and find out these instances of leaks directly. In this talk, we plan on investigating the causes, impacts, and techniques that can be used to prevent such leaks. Further, we’ll be giving you a sneak peek into some of our exciting findings.

Screenshots

Speakers

Founder, CEO

CloudSEK

Rahul Sasi is an Indian entrepreneur, Founder of CloudSEK, and a security expert. He was voted as the top influential Cyber Security person in 2015, he has made a significant open source contribution to the security landscape and is an invited speaker to over 20+ countries. He is part of the working committees of RBI and MeitY.
CloudSEK : https://cloudsek.com/
LinkedIn: https://www.linkedin.com/in/fb1h2s/

Senior Security Engineer

CloudSEK

Vishal Singh is working as a Senior Security Engineer at CloudSEK. His main responsibility includes handling the Research & Development of CloudSEK ASM. He loves automating manual effort tasks, and also likes net surfing & exploring new places in his free time.

Other Talks in This Track

LOCATION

CommSec Track

DATE

August 25

TIME

10:30

LOCATION

CommSec Track

DATE

August 25

TIME

11:00

LOCATION

CommSec Track

DATE

August 25

TIME

11:30

LOCATION

CommSec Track

DATE

August 25

TIME

14:00