CloudSEK platform researchers found that more than 3,200 apps have a development issue that can greatly affect the security of users on Twitter. That’s because this privacy flaw exposes the social network’s APIs in public, allowing hackers to break into accounts and get pull profile information, read direct messages, like and retweet, follow any account, etc.creating a gap for the creation of a potential “bot army”, as the researchers claim.
Fortunately, the number of apps that give all this power to hackers is a smaller share of the total, staying in the range of 320 programs. It’s still a substantial number, and the security company hasn’t released a list of them as they’ve contacted their developers to fix the issue earlier. So far, only one Ford app — Ford Events — has patched it to make users’ credentials more secure.
Another notable data is that the Twitter accounts exposed, in fact, are not those of the users who downloaded the app (and logged in via the network, for example), but rather the app developers’ own Twitter accounts. If, on the one hand, we can be more relaxed about individual privacy, on the other hand, large and verified profiles can, from one moment to the next, become vehicles of disinformation.
There is still a risk of accounts being used to promote cryptocurrency scams, for example, or leaking confidential information pulled from DMs.
“By integrating mobile apps with Twitter, developers will receive special authentication keys, or tokens, that allow their mobile apps to interact with the Twitter API. When a user associates their Twitter account with this mobile app, the keys also allow for the application to act on behalf of the user, such as logging in via Twitter, creating tweets, sending DMs, etc.”, explain CloudSEK researchers.
Some of the vulnerable apps have more than 5 million downloads in online stores, and include urban transport solutions, radio tuners, ebook readers, newspapers, banking apps, GPS and others.