Security Experts:

Twitter Says Bug Leading to API Key Leak Patched

Twitter last week started sending emails to developers to inform them of a vulnerability that might have resulted in the disclosure of developer information, including API keys.

The issue, which has been fixed, potentially resulted in details about Twitter developer applications being stored in the browser’s cache when the app builders visited the developer.twitter.com website, the company said in an email sent to developers, which was shared online.

Designed to provide developers using the Twitter platform and APIs with access to documentation, community discussion, and other type of information, the portal also offers app and API key management functionality.

In the email sent to developers, Twitter revealed that the addressed issue resulted in app keys and tokens being stored in the browser’s cache, thus potentially resulting in their leak.

An attacker could abuse private keys and tokens to interact with Twitter on behalf of the developer, while access tokens would allow them to log into a developer’s account without knowing the credentials.

“Prior to the fix, if you used a public or shared computer to view your developer app keys and tokens on developer.twitter.com, they may have been temporarily stored in the browser’s cache on that computer. If someone who used the same computer after you in that temporary timeframe knew how to access a browser’s cache, and knew what to look for, it is possible they could have accessed the keys and tokens that you viewed,” Twitter told developers.

According to the company, app consumer API keys, along with user access tokens and secrets for the developers’ own Twitter accounts might have been affected by the issue. Those who did not use a shared computer to access the developer portal should not be impacted.

The social media platform claims that it has no evidence that the developer app keys and tokens were compromised, but that it decided to inform the affected parties of the issue, so they could take the necessary measures to ensure their apps and accounts are kept secure.

“We changed the caching instructions that developer.twitter.com sends to your browser to stop it from storing information about your apps or account so this won’t happen any longer,” Twitter also said.

Affected developers are advised to regenerate app keys and tokens, to avoid further data leaks.

In early August, Twitter revealed that an issue with the Android application might have resulted in private data being exposed to malicious apps. In April, the company said that the manner in which Firefox stored cached data might have resulted in the personal data of Twitter users being exposed.

Related: Bug Exposed Direct Messages of Millions of Twitter Users

Related: Bug Gives Twitter Apps More Permissions Than Shown

Related: Twitter Suspends Fake Accounts for Exploiting API Vulnerability

view counter