Twitter Access Key
ID |
twitter_access_key |
Severity |
high |
Vendor |
|
Family |
Access key |
Description
For access to the Twitter API, a developer account provides a client_id / client_secret pair for authentication with the API. This allows the client to send tweets or direct messages on behalf of the user.
Security
Any hardcoded client secret is a potential secret reported by this detector. When leaked, it enables bad actors to perform operations via Twitter API on behalf of the owning user.
Examples
from tweepy import OAuthHandler from tweepy import API from tweepy import Stream twitter_consumer_key = '00Cro9uK8yoF8gjEjdL843iud' # Hardcoded Twitter client secret twitter_consumer_secret = '7ByIdvpTu5Q8LOmieghbv933kIB9FhAGXlQPqWxGZYTPKvSJEa' auth = OAuthHandler(twitter_consumer_key, twitter_consumer_secret)
Mitigation / Fix
-
Remove the hardcoded secret from the source code or committed configuration file.
-
Follow your policy for handling leaked secrets, which typically require revoking the secret in the Twitter developer’s dashboard.
-
Check usage metrics in the Twitter developer’s dashboard to detect suspicious activity during the compromised period.
-
Limit the scope of the Twitter developer App to the minimum access permissions needed: read, read/write or read/write/direct messages.