Tips

Vulnerability in Twitter Kit for iOS

By Eric Frohnhoefer
Wednesday, 24 January 2018

We were recently alerted to a vulnerability in Twitter Kit for iOS. The issue was responsibly disclosed, via our bug bounty program on HackerOne by the reporter “filedescriptor”.

In Twitter Kit for iOS versions 3.0 to 3.2.1, a vulnerability exists where an attacker could inject unverified user authorization tokens into an app that uses the “Login with Twitter” feature, potentially allowing them to associate a Twitter account with a third-party service.

The vulnerability was fixed in Twitter Kit for iOS v3.2.2, released November 28, 2017. If you are using the “Login with Twitter” feature, please upgrade to the latest release as soon as possible.

Please note that Twitter Kit for Android is not affected by this vulnerability.

Twitter is committed to protecting our users and building secure software, and we're grateful to the security community for identifying this issue and working with us to disclose it responsibly.

 

This Tweet is unavailable
This Tweet is unavailable.
@ericfrohnhoefer

Eric Frohnhoefer

‎@ericfrohnhoefer‎

Software Engineer

Only on Twitter