SECURITY
SECURITY
SECURITY
Twitter warns developers of potentially exposed API keys and access tokens
Twitter Inc. is warning developers that their application programming interface key, user access tokens and token secrets for their own Twitter accounts may have been exposed in browser caches.
In a notice to developers Friday, Twitter said they may have been temporarily stored in the browser’s cache on a public or shared computer. “If someone who used the same computer after you in that temporary timeframe knew how to access a browser’s cache, and knew what to look for, it is possible they could have accessed the keys and tokens that you viewed,” the notice reads.
The warning only applies where developers have used a public or shared computer and does not apply if developers have not done so. Twitter has since changed caching instructions sent to a browser to stop it from storing information about developer apps or accounts to prevent this from happening in the future.
If developers have used a shared computer, Twitter is advising that they regenerate their app keys and tokens.
“Since hundreds of billions of dollars in online business rely on APIs to smoothly function, this growing ubiquity makes APIs a juicy target for malicious hackers trying to exploit weaknesses in these connection points,” Ameet Naik, security evangelist at application protection firm PerimeterX Inc., told SiliconANGLE. “Leaked keys and security tokens make their way to the dark web and are used in automated attacks against API endpoints.”
Naik said that in PerimeterX’s research, it found that on many websites and applications, more than 75% of login requests from API endpoints are malicious.
“The growth in API attacks is driven by the simple fact that they are easier and more economical to mount while being harder to detect than legacy browser-based botnet attacks,” Naik said. “To beat API bots, businesses need a new defensive methodology driven by machine learning, sophisticated behavior modeling, and a constant real-time feedback loop. Developers must take steps to ensure that API keys and security tokens are properly protected using key vaults.”
Images: Shawn Campbell/Flickr, Duncan Riley
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU
