The outdated API, which many iOS applications still use for authorization via Twitter, contains a vulnerability that could allow the user to get an OAuth access token from the “middle position” position and perform various actions on the social network on behalf of the victim.According to experts from the German company Fraunhofer SIT, the vulnerability CVE-2019-16263 linked to the Twitter Kit library, which Twitter developers abandoned about a year ago.
Nevertheless, an analysis of 2,000 popular iOS programs in Germany showed that the problem code is still present in 45 applications installed by millions of people in this country. If we consider the problem on a global scale, then the list of software products using the outdated Twitter Kit framework, according to researchers, can expand to tens of thousands of items.
According to Twitter, the Twitter Kit is an open source development kit (SDK) that allows mobile applications to display tweets, authorize social network users, and work with the Twitter API. The obsolete library was discontinued in October 2018; at that time, application developers were advised to switch to other SDKs. However, the problematic code, according to Jens Heider of Fraunhofer SIT, remained in the GitHub repository, without any indication of the possibility of its use in cyberattacks.
“The Twitter library on GitHub still contains dangerous code, this worries us, because the applications using it are working properly, and the developers are not keen to update them, moving to a more secure Twitter library”, — the expert told.
In his comment, Heider did not name the affected applications, only noted that the list includes programs for reading news, as well as many other applications and services that allow authorization via Twitter.
“If the author of the attack manages to get an OAuth token (Twitter), he can use it to publish tweets in the target account’s feed, view the correspondence in PM, copy other users’ posts to the victim’s page, ” – explains an expert.
According to the Fraunhofer SIT blog post, the problem with TwitterKit releases 3.4.2 and below for iOS is caused by the inadequate authentication of the TLS certificate api.twitter.com.
“They [the developers] wanted to increase security by securing the public key of trusted root certificate issuing centers (certification authorities, CAs) such as VeriSign, DigiCert and GeoTrust. For this purpose, they created an array of data by writing hashes of 21 public keys of various CAs into it”, – the authors of the study write.
With each new connection, Twitter Kit checks the received certificate chain for the presence of one of the public keys from its list. However, developers made a mistake in implementing this approach for iOS: they did not provide for the verification of the domain name specified in the end-entity certificate (end-entity certificate, also leaf certificate). Because of this, the vulnerable application will accept any chain of valid certificates if one of the public keys matches the specified list.
“A domain owner who has a valid certificate issued by one of these CAs will be able to use it to conduct MitM attacks against applications that interact with api.twitter.com via the Twitter Kit for iOS”, — the researchers explain.
Experts reported on Twitter about their find in May this year. According to Jens Heider, developers, admitted that there was a problem, but did not release a patch for the library removed from support. Instead, they replaced the Twitter API code with an updated version.