In Twitter Kit for iOS versions 3.0 to 3.2.1, a vulnerability exists where an attacker could inject unverified user authorization tokens into an app that uses the “Login with Twitter” feature, potentially allowing them to associate a Twitter account with a third-party service.
The vulnerability was fixed in Twitter Kit for iOS v3.2.2, released November 28, 2017. If you are using the “Login with Twitter” feature, please upgrade to the latest release as soon as possible.
Please note that Twitter Kit for Android is not affected by this vulnerability.
Twitter is committed to protecting our users and building secure software, and we're grateful to the security community for identifying this issue and working with us to disclose it responsibly.