August 8, 2022

Turning Leftover API Credentials into Twitter Bot Armies

Apps with leftover API credentials can be exploited by bad actors to create a bot army. How does this work, and where are the API credentials "leftover"?

Turning Leftover API Credentials into Twitter Bot Armies

Many disinformation campaigns surround a variety of topics, such as elections and vaccines, and propagate across the internet every day. It is worth wondering how such campaigns take place, specifically how new social media accounts are created in order to disseminate information that people then trust. The hard way is to build a following naturally, posting things that people find interesting multiple time a day every day and getting the attention and praise of verified larger accounts. But a security researcher may have found an easier path to building a trusted, verified poster without a single two-way interaction. The culprit...API Leftovers.

How do apps get social media access?

Security research firm CloudSEK published a report this month where they found that over 3,000 apps had leftover API authentication credentials visible in their source code. A large number of apps utilize social media integrations, allowing users to post something in the form of a Twitter update without going through the trouble of copying a link from the app and posting it themselves. To facilitate that, Twitter grants access to their API for app developers and uses OAuth credentials in order to connect app users to their Twitter accounts. Those credentials are often written in as a reference in the development stage. For example, they might be in somewhere called "resources/res/values/strings.xml" or "source/sources/com/app-name/Build-Config.java" per the report. If those authentication credentials and their references aren't removed prior to publication, they can be accessed by an enterprising attacker downloading and decompiling the app.

Theoretically, an attacker could use these credentials to gain full access and take over an organization's Twitter account, although the report notes that four distinct OAuth credentials have to be exposed for that to be possible and only 230 of the apps in their set met those conditions (bad news for those 230). This is where the bot army comes in. Per CloudSEK, the remaining leaked API keys can be harvested to tell Twitter that a lot of action is happening around whatever the attacker wants. It can be used to give the impression that a piece of disinformation is trusted, to verify an account, to promote a post containing a link to malware, or any other thing that requires a lot of Twitter activity.

Harmless API, or an API doing harm to society?

This is a prime example of how an extremely useful and seemingly harmless API can be exploited to deleterious effect if organizations aren't careful. Twitter is ubiquitous and acts as a sort of public square, but it is possible to game that public square. With clear evidence that bot armies do exist and do try to effect change in public opinion, it is doubtless that attackers use this or some other similar method of API key harvesting. But they can be stopped with proper API auditing.