loading...
Cover image for Vulnerable Twitter API Leaves Tens of Thousands of iOS Apps Open to Attacks

Vulnerable Twitter API Leaves Tens of Thousands of iOS Apps Open to Attacks

exadra37 profile image Paulo Renato ・2 min read

In this article we can read that after studying the 2,000 must popular iOS mobile apps in Germany, researchers revealed that the Twitter Kit SDK, that was deprecated in October 2018, due to the CVE-2019-16263, is still in use by 45 popular apps, that are used by millions of German users, and possibly by tens of thousands worldwide.

TLDR

Hijack Twitter accounts with a MITM attack

Researchers are warning that an old Twitter API still used by popular iOS mobile apps that could be abused as part of a man-in-the-middle attack. It could be used to hijack Twitter accounts and compromise other third-party apps that are linked to the same “login with Twitter” feature.

The Twitter OAuth Token compromise

While not singling out specific applications by name, Heider said affected apps include newsreaders and many other services or applications that allow a user to login via their Twitter Access Token: “If an attacker is able to gain access to the (Twitter) OAuth token, they are able to use it to post to the targets Twitter account, read past private messages and like and retweet the tweets of other users.”

The Security Flaw in the Twitter Kit SDK for iOS

“They wanted to increase the security by implementing a public key pinning of trusted root certificate authorities (CA), such as VeriSign, DigiCert and GeoTrust. So they created [an] array with entries of 21 public key hashes for the CAs,” researchers wrote in a breakdown of their research.

They explained that the domain name of the leaf certificate is not verified by iOS. Because it’s not verified, any valid certificate (of the 21) with a public key hash, is accepted by the vulnerable app.

“An attacker with a valid certificate for his own domain, issued by one of these CAs, can use this certificate for man-in-the-middle-attacks against apps communicating via the Twitter Kit for iOS with api.twitter.com,” wrote the researchers.

Let's Discuss

Using a Public WiFi

In order to exploit the vulnerability, researchers said, an adversary would first need to take control of a Wi-Fi access point. Next, a victim would log into the rogue wireless network, and then the attacker could capture the Twitter OAuth token for a user session.

While you may think that a rogue WiFi is rare, it's becoming more and more a current attack vector for cyber criminals to achieve their goals.

Do you trust in using a public WiFi in hotels, airports, shopping malls, etc.?

If your reply is yes, then you may want to read this article:

One of the financially motivated threat actors operating under the Magecart umbrella appears to be testing malicious code to inject into commercial-grade layer 7 (L7) routers, IBM reports.

Still not convinced?

So I recommend you to search in Google for public wifi compromise.

Don't forget to give your point of view in the comments.

Posted on Nov 20 '19 by:

exadra37 profile

Paulo Renato

@exadra37

I am a Developer Advocate for Security in Mobile Apps and APIs at approov.io. Another passion is the Elixir programming language that was designed to be concurrent, distributed and fault tolerant.

Discussion

markdown guide