Twitter developers are being warned of a security bug that may have exposed their applications’ credential information – including sensitive application keys and access tokens.
The issue stemmed from a caching issue in developer.twitter.com. When developers visited this website, it temporarily stored information about their applications in the browser’s cache on the local computer, according to Twitter’s security notice that was sent to developers, shared on Twitter on Friday. The website developer.twitter.com is a central hub for Twitter developers, who create third-party applications for the Twitter platform. These applications allow Twitter users to incorporate multiple platforms into their Twitter account – for instance, OutTwit, a Windows application, allows users to access Twitter via Outlook.
“If you used a shared computer to visit developer.twitter.com with a logged-in Twitter account, we recommend that you regenerate your app keys and tokens,” said Twitter in its Friday notice.
An attack that leveraged the issue would be complex to carry out. An attacker would need to visit a public computer (in a library, for instance) right after a developer used that computer. And, the developer would have needed to visit developer.twitter.com and used certain sensitive information that would then be stored in the browser cache.
However, Twitter said that if the circumstances work out, depending on the pages visited and what information was viewed, attackers could have accessed developers’ app consumer API keys, the user access token and secret for their developer account.
This information is critical to securing Twitter and developer accounts. Application programming interface (API) keys are a unique identifier used to authenticate a user, developer, or calling program to an API. Twitter has said in a description of its Twitter API keys, “think of these as the user name and password that represents your Twitter developer app when making API requests.” An access token and access token secret, meanwhile, are user-specific credentials used to authenticate OAuth API requests. They specify the Twitter account the request is made on behalf of.
Twitter has fixed the bug by changing the caching instructions that developer.twitter.com sends to the browser, barring it from storing information about users’ apps or accounts.
A Twitter spokesperson sought to downplay the issue and told Threatpost that there is currently no evidence that developer app keys and tokens were compromised. Twitter did not comment on Threatpost’s inquiry regarding how many developers were impacted.
“Due to the nature of the issue – the fact that this information would have only been stored temporarily in the browser’s cache on the client side and only potentially compromised if you used a public or shared computer – it is highly unlikely that anyone’s credentials were compromised without their knowledge,” a Twitter spokesperson told Threatpost. “Out of an abundance of caution, we want to make sure people are aware of the issue and know how to reset their credentials if they think they may have accessed their developer account from a public or shared computer.”
The security bug is another layer to an already reported contentious relationship with Twitter’s developer community. Starting in 2012, the social media company reportedly started placing tight restrictions on developers, including blocking them from new features like polls and group DMs. Developers claimed that Twitter was instead pushing users toward the company’s own apps.
Earlier in the year, a mobile spearphishing attack targeting “a small number of employees” led to the unprecedented, major attack in July on high-profile Twitter accounts to push out a Bitcoin scam. In February, Twitter said that malicious actors, with potential ties to state-sponsored groups, were abusing a legitimate function on its platform to unmask the identity of users. And in December 2019, Twitter urged Android users to update their app to avoid a security bug that allows a malicious user to access private account data and could also allow an attacker to take control of accounts to send tweets and direct messages.