Twitter developers’ private keys and account tokens could be exposed

Get a free Techzine subscription!

Twitter emailed developers to warn them about a bug that may have exposed their private keys and account tokens. In the email, the company said that the sensitive information was improperly stored in the browser’s cache inadvertently.

Before the fix, if anyone used a public or shared computer to view their private keys and tokens on developer.twitter.com, they may have been temporarily stored in the computer’s cache.

If someone used the same computer after a developer, within a specific timeframe, they might have accessed the information if they knew what to look for.

Not just private keys

The email added that the developer’s access token for their accounts might have been exposed in some circumstances. The private keys and tokens are considered sensitive and are supposed to be kept secret because someone can use them to interact with Twitter, posing as the developer. 

Access tokens are no exception when it comes to secrecy. If stolen, they can give an attacker access to a user’s account without needing a password.

Twitter said that they had not seen any evidence that anyone malicious has exploited the bug, but they choose to err on the side of caution by alerting developers.

No details were released, but a fix is available

It is not known how many developers have been affected by the bug or when it was fixed. A spokesman from the social media giant declined to provide any figures.

In June, something similar happened when Twitter said that business customers’ private information might have been stored improperly in the browser caches.

During a time when attacks are becoming increasingly aggressive, it is imperative for companies that have massive caches of public data to play it safe and ensure that their users are not compromised carelessly.