Twitter started sending emails to developers last week to inform them of a vulnerability that could have resulted in developer information, including API keys, being disclosed.
When the app builders visited the developer.twitter.com website, the company said in an email sent to developers, which was shared online, the problem, which was fixed, potentially resulted in details about Twitter developer applications being stored in the browser cache.
Twitter email about API key vuln pic.twitter.com/srrMUQvHYt
— Dave Gershgorn (@davegershgorn) September 25, 2020
Designed to provide developers with access to documentation, community discussion, and other information using the Twitter platform and APIs, the portal also provides key management functionality for the app and API.
Twitter revealed in the email sent to developers that the resolved issue resulted in app keys and tokens being stored in the cache of the browser, potentially resulting in their leakage.
In order to interact with Twitter on behalf of the developer, an attacker could abuse private keys and tokens, while access tokens would allow them to log into the account of a developer without knowing the credentials.
“If you were using a public or shared computer to view your developer app keys and tokens on developer.twitter.com prior to the fix, they may have been temporarily stored on that computer in the browser cache. If someone who used the same machine after you knew how to access the cache of a browser and knew what to look for in that temporary timeframe, it is possible that they could have accessed the keys and tokens you viewed,’ Twitter told developers.
App consumer API keys, along with user access tokens and secrets for the developers’ own Twitter accounts, may have been affected by the problem, according to the company. Those who have not accessed the developer portal by using a shared computer should not be affected.
The social media platform claims that it has no proof that the app keys and tokens of the developer have been compromised, but that it has decided to inform the affected parties of the problem so that they can take the necessary steps to ensure that their apps and accounts are kept safe.
“We have changed the caching instructions sent to your browser by developer.twitter.com to prevent information about your apps or account from being stored so that this will no longer occur,” Twitter also said.
To avoid further data leaks, affected developers are advised to regenerate app keys and tokens.
Twitter revealed in early August that a problem with the Android application could have resulted in malicious apps being exposed to private data. In April, the company said that the way in which cached data was stored by Firefox could have resulted in Twitter users’ personal data being exposed.