Twitter is making the headlines these days due to its ongoing conflict with Elon Musk over the company takeover. But the social media platform is facing a huge security threat amid its litigation. According to the report, cybersecurity firm CloudSEK has found that 3,207 apps expose a valid Consumer Key and Consumer Secret for the Twitter API. When a developer wants to integrate his app with Twitter, he receives special authentication keys or tokens. This paves the way for the app to interact with Twitter API. Then, any time a user connects his Twitter account to the developer’s app, the keys also will enable the app to act on behalf of the user.

Twitter API keys are leaking due to developer mistake

According to CloudSEK, the app developers made a huge mistake by embedding their authentication keys in the Twitter API. They also forgot to remove them once the app was released. CloudSEK says account hijackers can do almost everything with the account, including reading direct messages, liking and retweeting tweets, creating or deleting tweets, removing or adding new followers, changing account settings, or changing the pictures on the account. The cybersecurity firm also warns that account hijackers can create an army of verified Twitter accounts to promote fake news, malware campaigns, cryptocurrency scams, etc. Bleeping Computer says it has the full list of impacted applications that have between 50,000 and 5,000,000 downloads. Also, the apps range from transportation companions and radio tuners to book readers, event loggers, newspapers, e-banking apps, cycling GPS apps, and more. Most of the impacted applications claim they haven’t received the CloudSEK notices. Also, most of them still haven’t addressed the issues. The source did not disclose the names of the apps. However, it says Ford Motors was the only company that quickly responded and solved the issues on the “Ford Events” app.