Twitter accounts turned into bots: here is the danger hidden in thousands of iOS and Android apps

There are 3,200 mobile apps that expose the access credentials to the developers’ Twitter accounts to the public: cybercrime could therefore exploit them to gain control of the accounts and turn them into bots with which to carry out illegal activities. Here are the risks involved and how to mitigate them

CloudSEK researchers sound an alarm on more than 3,200 iOS and Android apps that cybercriminals could use to access developers’ Twitter accounts and form an army of bots.

“Even if there is no evidence in the specific case”, comments Fabrizio Croce , VP Sales South Europe, WatchGuard Technologies, “the problem sometimes lies in hasty or low-cost programming, in the use of API keys directly written in the code”.

Twitter account at risk: the details

App developers take advantage of Twitter’s API to access social network features through four different authentication methods, used individually or together

During the testing phases of the apps, the authentication keys or tokens are stored in the code so as to speed up the work of the developers. However, CloudSEK found that in 3,207 Android apps the login credentials were not removed before being published in the official Apple and Google stores.

In this way, apps make the authentication keys with which attackers or cyber criminals could gain control of Twitter accounts visible to the public. Some of these apps exceed 5 million downloads.

Downloading apps and retrieving keys is a breeze. Cybercrime could then access the Twitter accounts of users who have downloaded apps to the device and perform malicious activities on behalf of unsuspecting users. For example, they could read direct messages, remove followers, add likes, delete tweets or retweets, follow other accounts, and change settings.

It would even be conceivable to form an army of bots to spread disinformation and malware, carry out cyber scams, send phishing emails or SMS to steal personal information.

How to protect yourself

In this case, the security solutions are unfortunately of little use, even if it is always necessary to use them to protect personal data and login credentials in all other cases.

The advice, always valid, is to avoid downloading useless apps because we extend the attack perimeter,

“The researchers”, also emphasizes Fabrizio Croce, “affirm that to mitigate such attacks it is advisable to continually review the use of API keys directly written in the code, periodically replacing the keys to reduce the probable risks deriving from their theft”

“Alternatively”, concludes the analyst, “the use of variables inserted in a file outside the code saves time and increases security. However, due care must be taken to ensure that the file containing environment variables is not included in the source code ”.

Catch up on more articles here

Follow us on Twitter here


Must read


Related Posts