Twitter warns of possible API keys leak

Incorrect server settings on the Twitter Developer portal led to browsers caching API keys, account access token and secret.
Written by Catalin Cimpanu, Contributor
Image: Kon Karampelas

Twitter is notifying developers today about a possible security incident that may have impacted their accounts.

The incident was caused by incorrect instructions that the developer.twitter.com website sent to users' browsers.

The developer.twitter.com website is the portal where developers manage their Twitter apps and attached API keys, but also the access token and secret key for their Twitter account.

In an email sent to developers today, Twitter said that its developer.twitter.com website told browsers to create and store copies of the API keys, account access token, and account secret inside their cache, a section of the browser where data is saved to speed up the process of loading the page when the user accessed the same site again.

This might not be a problem for developers using their own browsers, but Twitter is warning developers who may have used public or shared computers to access the developer.twitter.com website — in which case, their API keys are now most likely stored in those browsers.

"If someone who used the same computer after you in that temporary timeframe knew how to access a browser's cache, and knew what to look for, it is possible they could have accessed the keys and tokens that you viewed," Twitter said.

"Depending on what pages you visited and what information you looked at, this could have included your app's consumer API keys, as well as the user access token and secret for your own Twitter account," Twitter said.

Twitter said it fixed the issue by changing what content gets cached when users access the developer.twitter.com portal.

The social network also said it has no indication that any API keys have leaked this way, as an attacker must have (1) known about the bug, and (2) had access to a developer's browser to extract the keys and tokens.

Nonetheless, Twitter decided to notify developers, just to be on the safe side.

"I believe that Twitter did the right thing by notifying the Developers," John Jackson, an Application Security Engineer at Shutterstock, told ZDNet today.

"While I'm sure they will face scrutiny, transparency about security issues is a commendable community practice," he added.

"Generally, caching sensitive information such as API keys on the client-side is an extremely bad practice and an obvious misconfiguration. The overall risk of this vulnerability is one that should undoubtedly be taken seriously, but the probability of day to day exploitation is low," Jackson said.

"I am curious to know what other sensitive information Twitter is caching, as this is not the first situation in which Twitter has done this, seen before when it was discovered that messages were being cached," Jackson said, referring to a similar incident the social disclosed in April when it said that some private files sent via direct messages might have remained in the browser cache of Firefox browsers.

Facebook alternatives: Social apps you need to try

Editorial standards