CloudSEK’s Attack Surface Monitoring Platform has uncovered 3,207 apps that are leaking Twitter application programming interface (API) keys, which can be used to access or to take over Twitter accounts.

That news comes via a new report, "How Leaked Twitter API’s Can Be Used to Build a Bot Army," from CloudSEK, a contextual artificial intelligence company that predicts cyberthreats.

230 Apps Can Take Over Twitter Accounts

According to the CloudSEK report:

  • The CloudSEK Attack Surface Monitoring Platform discovered 3207 apps were leaking valid Consumer Key and Consumer Secret.
  • 230 apps, some of which are unicorns, can be used to fully take over their Twitter Accounts to perform critical/sensitive actions, such as:
  • Read Direct Messages
  • Retweet
  • Like
  • Delete
  • Remove followers
  • Follow any account
  • Get account settings
  • Change display picture

Twitter Bots Spread Misinformation

CloudSEK explains that access to the Twitter API requires generating the Keys and Access Tokens. These act as the usernames and passwords for the apps, as well as the users on whose behalf the API requests will be made.

A malicious actor in possession of this information can create a “Twitter bot army,” which could be used to spread mis/disinformation. Twitter was recently exploited to promote the “fake suspension notices” phishing scam, CloudSEK says in the report. As such, verified handles helped validate the scam.

CloudSEK notes that Twitter is the sole medium of news and information for many of its users. Therefore, “multiple account takeovers can be used to sing the same tune in tandem, reiterating the message that needs to be disbursed.”