Vulnerable Twitter API Leaves Tens of Thousands of iOS Apps Open to Attacks

guest · Oct 7, 2019

Vulnerable Twitter API Leaves Tens of Thousands of iOS Apps Open to Attacks
Millions of iOS users could be vulnerable to man-in-the-middle attacks that trace back to flawed Twitter code used in popular iPhone apps
October 7, 2019
https://threatpost.com/vulnerable-twitter-api-leaves-millions-open-to-attack/148945/

Researchers are warning that an old Twitter API still used by popular iOS mobile apps that could be abused as part of a man-in-the-middle attack. It could be used to hijack Twitter accounts and compromise other third-party apps that are linked to the same “login with Twitter” feature.

According to researchers with Germany-based Fraunhofer SIT, the culprit is a flawed TwitterKit library that was replaced by Twitter about a year ago. However, a review of the 2,000 most popular German iOS mobile apps revealed that the bad code is sill being in use by 45 applications and impacting millions of German users.
Worldwide the number of apps running the buggy Twitter Kit framework could be closer to tens of thousands, researchers said.
Click to expand...

“They wanted to increase the security by implementing a public key pinning of trusted root certificate authorities (CA), such as VeriSign, DigiCert and GeoTrust. So they created [an] array with entries of 21 public key hashes for the CAs,” researchers wrote in a breakdown of their research.
They explained that the domain name of the leaf certificate is not verified by iOS. Because it’s not verified, any valid certificate (of the 21) with a public key hash, is accepted by the vulnerable app.

“An attacker with a valid certificate for his own domain, issued by one of these CAs, can use this certificate for man-in-the-middle-attacks against apps communicating via the Twitter Kit for iOS with api.twitter.com,” wrote the researchers.
Click to expand...

Log in or Sign up

Vulnerable Twitter API Leaves Tens of Thousands of iOS Apps Open to Attacks

guest Guest

Log in or Sign up

Vulnerable Twitter API Leaves Tens of Thousands of iOS Apps Open to Attacks

guest Guest

Useful Searches