Specifically, affected is the Twitter kit iOS 3.4.2, an end-of-life Twitter software library that many apps use to communicate with Twitter. Identity theft, account abuse and data loss are possible via the security vulnerability. According to researchers at the Fraunhofer Institute for Secure Information Technology SIT in Darmstadt, developers of apps should no longer use the Twitter kit and replace it with alternatives in existing apps. Technical details can be found on the Fraunhofer SIT homepage.
In order to track down the security hole, the researchers at Fraunhofer SIT used the specially developed test tool »Appicaptor«. They found an error in the interface to Twitter, which does not check the Twitter certificate correctly. As a result, attackers can view private data such as protected tweets and direct messages from the account or tweet, like and retweet on behalf of the user. Any app that uses the malicious kit to offer a login for Twitter can also be attacked.
The researchers scanned Germany's most popular 2000 iOS apps and found 45 affected apps. Of the more than two million apps in the Apple Store, many applications of different categories are likely to be affected. In addition, the Twitter kit for iOS is integrated into other developer frameworks, such as Google Fabric.
Twitter does not provide a patch
According to information provided by the researchers, Twitter announced that they would not close the vulnerability with a patch, as support for the Twitter kit had already expired at the end of October 2018. However, the Twitter app »Periscope« has now been patched. Twitter itself mentions alternatives to its own Twitter kit.
There is bad news for all users of a Twitter app: whether and how someone is affected cannot be determined easily. iOS app users are advised not to use a Twitter login offered in an app. Especially not if you are in a public WLAN. The weak points are particularly easy to exploit here.