Twitter: more than 3,000 apps have holes that can allow attacks on profiles

At least 3,200 mobile applications, with integration to Twitter, have security flaws that can allow intrusions to the social network of its users. The secret lies in the public exposure of keys linked to the system API, used in the integration between the solutions and the platform, but which in the wrong hands can also be used maliciously.

All kinds of software are part of the alert, including solutions from major newspapers, banking apps, exercise-focused software, public transport apps and many others, some exceeding the five million downloads mark. The permissions granted to them by users vary, ranging from being able to post, follow accounts to reading and sending direct messages or changing profile settings.

When used properly, this type of connection is what allows, for example, a video game console to post screenshots on the social network or an exercise app to share the results of a run or training session directly on Twitter. . For this to work, APIs for integration with the platform are used, whose keys, in the aforementioned cases, are publicly exposed and could also be used for attacks against user accounts.

The survey was carried out by the security company CloudSek, which cites errors in the implementation of this connection as the reason for the problem. Experts say this is a common flaw in the integrated software development process, with developers including their authentication keys in the API but forgetting to remove this data when the public version of the application is released.

Total apps that leaked combinations reached 4,800

According to the researchers’ findings, a total of 4,800 applications were leaking key and secret combinations that would allow access to integrated accounts, but only 3,200 had these valid combinations. The list of apps, however, was not publicly disclosed, as all exploits are still available and could be used in attacks — the only exception was an event app related to the automaker Ford, which received an update after being contacted by the experts.

The main fear, according to CloudSek, is the use of accounts in disinformation operations and the spread of spam or malware. The focus is mainly on the verified accounts of vulnerable integrated service users, through which criminals could post and deface profiles to spread scams or fraudulent schemes that infect more and more people.

While there is nothing a user can do to protect their account in the event of such an attack, controlling authorizations and the use of built-in apps helps maintain a minimum of control. Only authorize the connection to Twitter on software from recognized developers and that follow good security practices, keeping only those that you actually use connected, revoking the permissions of others through the social network settings.

Source: CloudSek

Source link

About Admin

Check Also

Tip revealed: Learn how to increase the limit of your Nubank card

O Nubank currently has around 70 million customers. Fintech offers several services that attract many …

Leave a Reply

Your email address will not be published. Required fields are marked *