CVE-2019-5431

Name of the Vulnerable Software and Affected Versions Twitter Kit for iOS versions 3.0 through 3.4.0

Description The issue is caused by an incomplete fix and is related to a callback verification flaw in the "Login with Twitter" component. This flaw allows an attacker to provide alternate credentials. During the "Login with Twitter" authentication process, authentication information is passed back to the application using a registered custom URL scheme, typically in the format twitterkit-<consumer-key>, on iOS. The callback handler does not verify the authenticity of the response, making this step vulnerable to forgery. This could potentially allow an attacker to associate a Twitter account with a third-party service.

Recommendations For Twitter Kit for iOS versions 3.0 through 3.4.0, consider disabling the "Login with Twitter" component until a patch is available to prevent exploitation of the callback verification flaw. Restrict access to the custom URL scheme, typically in the format twitterkit-<consumer-key>, to minimize the risk of forgery.