The Fraunhofer Institute for Secure Information Technology SIT in Darmstadt has discovered serious flaws in the TwitterKit for iOS 3.4.2 that can result in account abuse and data loss. The TwitterKit is an end-of-life software library that is no longer updated but is still used in apps. The Fraunhofer researchers urge app developers to stop using the TwitterKit for iOS app developments and to replace it in existing apps. Technical details about the vulnerability can be found here: www.sit.fraunhofer.de/cve.
The TwitterKit software library for iOS 3.4.2 and its older versions are still being used in popular apps. Experts at Fraunhofer SIT have discovered a bug in the interface to Twitter, which does not correctly check the Twitter SSL certificate. This allows attackers to use a man-in-the-middle attack to view private data, such as protected tweets and direct messages from the user’s Twitter account or tweet or like and retweet tweets on behalf of the user. In addition, any app using the malicious TwitterKit to offer a login via Twitter can be attacked. iOS App users are therefore advised to better not use a Twitter login offered in an app.
The Fraunhofer experts informed Twitter immediately. Twitter then announced that there will be no patch to close the vulnerability, since the support for the TwitterKit had already expired by the end of October 2018. However, the Twitter app Periscope has been patched by now. The Fraunhofer security researchers are now addressing all app developers: “We want to warn all iOS developers urgently against using this software library or leaving it in their code. The whole TwitterKit is insecure,” says Dr. Jens Heider, mobile security expert at Fraunhofer SIT. Twitter itself lists alternatives to the in-house TwitterKit here: http://ots.de/TnzS7b
The security experts at Fraunhofer SIT found the vulnerability in the TwitterKit with the help of the Appicaptor test framework that they had developed themselves. More information about the tool and testing services can be found at www.sit.fraunhofer.de/appicaptor.