Twitter warns of possible API keys leak


Symbol: Kon Karampelas

Twitter is notifying builders as of late a couple of imaginable safety incident that can have impacted their accounts.

The incident was once led to by way of mistaken directions that the web page despatched to customers’ browsers.

The web page is the portal the place builders arrange their Twitter apps and hooked up API keys, but additionally the get right of entry to token and secret key for his or her Twitter account.

In an electronic mail despatched to builders as of late, Twitter mentioned that its web page instructed browsers to create and retailer copies of the API keys, account get right of entry to token, and account secret within their cache, a bit of the browser the place knowledge is stored to hurry up the method of loading the web page when the person accessed the similar website once more.

This is probably not an issue for builders the use of their very own browsers, however Twitter is caution builders who can have used public or shared computer systems to get right of entry to the web page — during which case, their API keys are actually perhaps saved in the ones browsers.

“If anyone who used the similar pc after you in that brief time-frame knew get right of entry to a browser’s cache, and knew what to search for, it’s imaginable they may have accessed the keys and tokens that you simply seen,” Twitter mentioned.

“Relying on what pages you visited and what knowledge you checked out, this can have incorporated your app’s shopper API keys, in addition to the person get right of entry to token and secret in your personal Twitter account,” Twitter mentioned.

Twitter mentioned it mounted the problem by way of converting what content material will get cached when customers get right of entry to the portal.

The social community additionally mentioned it has no indication that any API keys have leaked this fashion, as an attacker should have (1) recognized concerning the computer virus, and (2) had get right of entry to to a developer’s browser to extract the keys and tokens.

Nevertheless, Twitter determined to inform builders, simply to be at the secure facet.

“I imagine that Twitter did the proper factor by way of notifying the Builders,” John Jackson, an Software Safety Engineer at Shutterstock, instructed ZDNet as of late.

“Whilst I am certain they’re going to face scrutiny, transparency about safety problems is a commendable neighborhood apply,” he added.

“Usually, caching delicate knowledge similar to API keys at the client-side is a particularly unhealthy apply and an obtrusive misconfiguration. The total chance of this vulnerability is one that are supposed to indubitably be taken critically, however the chance of everyday exploitation is low,” Jackson mentioned.

“I’m curious to grasp what different delicate knowledge Twitter is caching, as this isn’t the primary state of affairs during which Twitter has carried out this, noticed prior to when it was once came upon that messages have been being cached,” Jackson mentioned, relating to a equivalent incident the social disclosed in April when it mentioned that some non-public information despatched by way of direct messages would possibly have remained within the browser cache of Firefox browsers.

Leave a Reply

Your email address will not be published. Required fields are marked *