Incorrect server settings on the Twitter Developer portal led to browsers caching API keys, account access token and secret.

By

Catalin Cimpanu

for Zero Day

| September 25, 2020 — 17:10 GMT (10:10 PDT)

| Topic: Security

A Winning Strategy for Cybersecurity

The smartest companies now approach cybersecurity with a risk management strategy. Learn how to make policies to protect your most important digital assets.

Read More

Twitter is notifying developers today about a possible security incident that may have impacted their accounts.

The developer.twitter.com website is the portal where developers manage their Twitter apps and attached API keys, but also the access token and secret key for their Twitter account.

In an email sent to developers today, Twitter said that its developer.twitter.com website told browsers to create and store copies of the API keys, account access token, and account secret inside their cache, a section of the browser where data is saved to speed up the process of loading the page when the user accessed the same site again.

This might not be a problem for developers using their own browsers, but Twitter is warning developers who may have used public or shared computers to access the developer.twitter.com website — in which case, their API keys are now most likely stored in those browsers.

If someone who used the same computer after you in that temporary timeframe knew how to access a browser’s cache, and knew what to look for, it is possible they could have accessed the keys and tokens that you viewed,” Twitter said.

Depending on what pages you visited and what information you looked at, this could have included your app’s consumer API keys, as well as the user access token and secret for your own Twitter account,” Twitter said.

Twitter said it fixed the issue by changing what content gets cached when users access the developer.twitter.com portal.

The social network also said it has no indication that any API keys have leaked this way, as an attacker must have (1) known about the bug, and (2) had access to a developer’s browser to extract the keys and tokens.

I believe that Twitter did the right thing by notifying the Developers,” John Jackson, an Application Security Engineer at Shutterstock, told ZDNet today.

While I’m sure they will face scrutiny, transparency about security issues is a commendable community practice,” he added.

“Generally, caching sensitive information such as API keys on the client-side is an extremely bad practice and an obvious misconfiguration. The overall risk of this vulnerability is one that should undoubtedly be taken seriously, but the probability of day to day exploitation is low,” Jackson said.

I am curious to know what other sensitive information Twitter is caching, as this is not the first situation in which Twitter has done this, seen before when it was discovered that messages were being cached,” Jackson said, referring to a similar incident the social disclosed in April when it said that some private files sent via direct messages might have remained in the browser cache of Firefox browsers.

By

Catalin Cimpanu

for Zero Day

| September 25, 2020 — 17:10 GMT (10:10 PDT)

| Topic: Security

Pastebin adds ‘Burn After Readand ‘Password Protected Pastesto the dismay of the infosec community

By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy.

You will also receive a complimentary subscription to the ZDNet’s Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.

You agree to receive updates, alerts, and promotions from the CBS family of companies – including ZDNet’s Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe at any time.

By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy.

Pastebin adds ‘Burn After Readand ‘Password Protected Pastesto the dismay of the infosec community

Enabling MFA in the TikTok mobile app doesn’t apply it for the web dashboard. TikTok promised to fix the issue.

Cisco urges customers using IOS and IOS XE devices and software to apply updates for dozens of high-severity vulnerabilities.

Source code for several operating systems, including Windows XP and Windows Server 2003, leaked in 42.9 torrent file.

© 2020 CBS Interactive. All rights reserved.
Privacy Policy |
Cookies |
Ad Choice |
Advertise |
Terms of Use |
Mobile User Agreement

Source: https://www.zdnet.com/article/twitter-warns-of-possible-api-keys-leak/

Twitter, Application programming interface key, Access token, Security token, Computer security, Computer

World news – US – Twitter warns of possible API keys leak | ZDNet

Building on its expertise in the areas of digital, technologies and processes , CSS Engineering you in your most ambitious transformation projects and helps you bring out new ideas, new offers, new modes of collaboration, new ways of producing and selling.

CSS Engineering is involved in projects each customer as if it were his own. We believe a consulting company should be more than an advisor. We put ourselves in the place of our customers, to align we incentives to their goals, and collaborate to unlock the full potential their business. This establishes deep relationships and enjoyable.

Our services:

  1. Create professional websites
  2. Hosting high performance and unlimited
  3. Sale and video surveillance cameras installation
  4. Sale and Installation of security system and alarm
  5. E-Marketing

All our achievements here https://www.css-engineering.com/en/works/

LEAVE A REPLY

Please enter your comment!
Please enter your name here