CVE-2017-0911

Name of the Vulnerable Software and Affected Versions Twitter Kit for iOS versions 3.0 through 3.2.1

Description The issue concerns a callback verification flaw in the "Login with Twitter" component, allowing an attacker to provide alternate credentials. During the "Login with Twitter" authentication process, authentication information is passed back to the application using a registered custom URL scheme, typically in the format 'twitterkit-', on iOS devices. The callback handler fails to verify the authenticity of the response, making this step vulnerable to forgery. This could potentially allow an attacker to associate a Twitter account with a third-party service.

Recommendations For Twitter Kit for iOS versions 3.0 through 3.2.1, consider disabling the "Login with Twitter" component until a patch is available to prevent potential forgery attacks. Restrict access to the custom URL scheme, typically 'twitterkit-', to minimize the risk of exploitation. Avoid using the "Login with Twitter" feature in affected versions until the issue is resolved.