The vulnerability can be exploited to hack Twitter accounts and compromise other applications.
Fraunhofer-Institut für Sichere Informationstechnologie (Germany) warned of a vulnerability in the old Twitter API, which is still used by popular iOS mobile apps. The vulnerability can be exploited as part of an intermediary attack (MitM) to hack Twitter accounts and compromise other applications with the function “log in using Twitter”.
The problem is in the TwitterKit library, which was replaced by Twitter about a year ago. A test of 2000 of the most popular German mobile iOS apps revealed vulnerable code in 45 of them, affecting millions of users in Germany. According to the researchers, the number of vulnerable applications in the world can reach tens of thousands. Vulnerable applications include news readers, as well as other services and applications that allow you to log in via the Twitter access token.
The vulnerability CVE-2019-16263 in releases of TwitterKit 3.4.2 and below for iOS is caused by incorrect authentication of the TSL certificate api.twitter.com. Although the certificate chain must contain one of the pinned certificates, there are certain implementation errors, such as a lack of hostname verification. To exploit the vulnerability, an attacker must first take control of a Wi-Fi access point. As soon as the victim enters the compromised wireless network, the attacker will be able to obtain the user’s Twitter OAuth token.
Twitter abandoned the Twitter Kit library in October 2018 and asked developers to switch to alternative libraries. However, the company left the old code in its repository on GitHub without warning of its insecurity. Researchers informed the company of an API vulnerability back in May 2019. Twitter confirmed the vulnerability, but did not release a patch for an unsupported library. Instead, the company replaced the API code with an updated version.