Content, Network Security, Content

Twitter API Leak Can Open Door to Building a Bot Army, CloudSEK Reports

Twitter 3D Logo 3D render image Illustration

CloudSEK’s Attack Surface Monitoring Platform has uncovered 3,207 apps that are leaking Twitter application programming interface (API) keys, which can be used to access or to take over Twitter accounts.

That news comes via a new report, "How Leaked Twitter API’s Can Be Used to Build a Bot Army," from CloudSEK, a contextual artificial intelligence company that predicts cyberthreats.

230 Apps Can Take Over Twitter Accounts

According to the CloudSEK report:

  • The CloudSEK Attack Surface Monitoring Platform discovered 3207 apps were leaking valid Consumer Key and Consumer Secret.
  • 230 apps, some of which are unicorns, can be used to fully take over their Twitter Accounts to perform critical/sensitive actions, such as:
  • Read Direct Messages
  • Retweet
  • Like
  • Delete
  • Remove followers
  • Follow any account
  • Get account settings
  • Change display picture

Twitter Bots Spread Misinformation

CloudSEK explains that access to the Twitter API requires generating the Keys and Access Tokens. These act as the usernames and passwords for the apps, as well as the users on whose behalf the API requests will be made.

A malicious actor in possession of this information can create a “Twitter bot army,” which could be used to spread mis/disinformation. Twitter was recently exploited to promote the “fake suspension notices” phishing scam, CloudSEK says in the report. As such, verified handles helped validate the scam.

CloudSEK notes that Twitter is the sole medium of news and information for many of its users. Therefore, “multiple account takeovers can be used to sing the same tune in tandem, reiterating the message that needs to be disbursed.”

Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.