Twitter Developers May Have Had Their Private Keys Exposed

• Twitter has had a browser cache leak problem again, and this time it hit app developers.
• This category of users may have had their apps’ private keys and tokens accessed by others.
• Those impacted are users who accessed the platform through a public or shared computer.

Twitter is sending notices to app developers, warning them about the chance of having had their private keys and account tokens leaked. Apparently, the cause of the problem was the improper storage of this confidential information on the browser’s cache.

The social media company assures the recipients that the problem has been fixed now. Still, if they used a public or shared computer to view their app keys and tokens on “developer.twitter.com” previously, the damage may have been done.

https://twitter.com/davegershgorn/status/1309530150128754688

Of course, someone would have to access the browser’s cache on that computer and know what to look for, so they should know about this bug in the first place. Depending on what pages the developer visited and what information was accessed, the exposure may even include the app’s consumer API keys, user access token, and details about their own Twitter account. All that said, if the developer hasn’t used anything other than their personal computers, this flaw isn’t practically impacting them in any way.

Twitter claims that they’ve seen no evidence that malicious actors actually exploited this bug in the wild, but they still chose to inform the developers out of an abundance of caution. The company didn’t specify the number of developers who could have potentially been affected by this, though.

Strangely, this type of flaw has been plaguing Twitter for quite a long time now. In April 2020, Twitter warned users that if they used Mozilla Firefox on a shared or public computer to access their accounts, their DMs (direct messages) would remain retrievable from the browser’s cache for up to a week. In June 2020, Twitter informed users who were registered for “Ads” and “Analytics” that sensitive user data (like email addresses, phone numbers, and four digits of the user’s credit card) were stored in the browser’s cache again, and so someone could have accessed all these details.

Considering that this has happened three times already in 2020, those who are keen to target Twitter users have already heard about the possibility that sensitive stuff may lie in the browser’s cache. That said, the scenario of exploitation isn’t far-fetched at all.

If you want to stay on the safe side, avoid using shared and public computers to access your Twitter account. If you absolutely have to do it, at least clear the browser’s cache afterward. If you are a developer, you should regenerate app keys and tokens now, just to be sure.