Researchers say a flawed Twitter Kit library may still be in use by tens of thousands of iOS apps. The old API holds a bug that means apps don't properly validate the SSL certificate of api.twitter.com.
Many of those apps are ones that use Twitter integration for logins, such as newsreaders. The analysis by Germany's Fraunhofer SIT found that the API was still in use by 45 of the 2,000 most popular apps in the country despite being replaced a year ago.
“Because of the missing domain name verification, any valid certificate chain containing a certificate with a public key hash of that list is accepted by the app,” explained Fraunhofer SIT. “An attacker with a valid certificate for his own domain, issued by one of these CAs, can use this certificate for man-in-the-middle-attacks against apps communicating via the Twitter Kit for iOS with
api.twitter.com. As the implementation does not check the position inside the chain, the matching public key could also be in the middle of the chain, such as in case of an intermediate certificate.”
An attacker who gains access to a user's OAuth token for Twitter could potentially use it login to the main site and other third-party sites that use OAuth. These sites could contain important information about the user or be used to push spam or malware.
Despite this, Twitter has not updated its GitHub repository for TwitterKit on iOS with any indication that it could be used in attacks. Through it's depreciated, some developers have likely held off on updating because as far as they're aware, their app is still working fine. Twitter has not taken steps to fix the mistake in the code.
Thankfully, an attacker would have to have local network access to exploit this man-in-the-middle attack. This means users are mostly safe at home, so long as their network is secure, but can be vulnerable on public WiFi in cafes, hotels, and other places. Users can use a VPN when on public networks to mitigate this risk.