Vulnerability in Twitter Kit for iOS

Friday, 26 April 2019

Editorial Note (4/26/2019):
Updated affected versions to include 3.0 to 3.4.0 due to an incomplete fix. Updated version number containing fix to v3.4.2, which was released on October 30, 2018. Please note that Twitter Kit is no longer a supported product. Any developers that choose to continue using it should upgrade to the latest version as soon as possible.

We were recently alerted to a vulnerability in Twitter Kit for iOS. The issue was responsibly disclosed, via our bug bounty program on HackerOne by the reporter “filedescriptor”.

In Twitter Kit for iOS versions 3.0 to 3.4.0, a vulnerability exists where an attacker could inject unverified user authorization tokens into an app that uses the “Login with Twitter” feature, potentially allowing them to associate a Twitter account with a third-party service.

The vulnerability was fixed in Twitter Kit for iOS v3.4.2, released October 30, 2018. If you are using the “Login with Twitter” feature, please upgrade to the latest release as soon as possible.

Please note that Twitter Kit for Android is not affected by this vulnerability.

Twitter is committed to protecting our users and building secure software, and we're grateful to the security community for identifying this issue and working with us to disclose it responsibly.


This post is unavailable
This post is unavailable.