[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [CVE-2013-5726] - Tweetbot for iOS and Mac user disclosure/privacy issue

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] [CVE-2013-5726] - Tweetbot for iOS and Mac user disclosure/privacy issue
From: Guillaume Ross <guillaume@xxxxxxxxxxxxxxxx>
Date: Fri, 1 Nov 2013 10:23:08 -0400

- Affected Vendor: http://tapbots.com/
- Affected Software: Tweetbot for Mac, iPad and iPhone
- Affected Version: Mac: 1.3.3 - iPad: 2.8.5 - iPhone: 2.8.5
- Issue Type: Lack of user confirmation leading to Twitter action revealing the 
user's Twitter identity
- Release Date: November 1, 2013
- Discovered by: Guillaume Ross 
- CVE Identifier: CVE-2013-5726 
- Issue Status: Vendor has published version 3 for iPhone which resolves the 
issue. Vendor has confirmed the fix is in the Mac and iOS V2 codebase and 
should be released soon.

**Summary**

Tweebot is a Twitter client for Mac and iOS. Separate iOS versions exist for 
iPhone and iPad.

Tweetbot has a URL Scheme/association on all versions that allows actions to be 
triggered from within other applications. The supported actions can be viewed 
at http://tapbots.com/blog/development/tweetbot-url-scheme

**Description**

The actions related to following and favoriting do not prompt the user before 
performing the action. Additionally, Safari in iOS warns the user that an 
application will be launched only when the URL is used directly, but not when 
the URL is used within an inline frame. This makes the attack function without 
requiring user interaction.

**Impact**

A user browsing the web could click a malicious link or load a page containing 
a malicious link within an inline frame. The user would then favorite a tweet 
or follow a user account on Twitter. The attacker can use this action to 
identify the user browsing the page, to gather followers or to have the victim 
follow people they would be embarrassed to be associated with.

**Proof of Concept**

        tweetbot:///follow/justinbieber

This URL would have the user follow Justin Bieber. By embedding it in an inline 
frame, the attack is automated on iOS and on Mac.

        <iframe src="tweetbot:///follow/justinbieber"></iframe>

**Response Timeline**

- August 27 2013 - Vendor notified
- August 27 2013 - Vendor acknowledges vulnerability
- October 24 2013 - Tweetbot v3 for iPhone is released and resolves the issue
- October 31 2013 - Vendor confirms the fix is in the V2 and Mac code base and 
will be released soon
- November 1 2013 - Vulnerability Disclosed

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] [cryptography] coderman's keys
Next by Date: Re: [Full-disclosure] [cryptography] coderman's keys
Previous by thread: [Full-disclosure] [SECURITY] [DSA 2789-1] strongswan security update
Next by thread: [Full-disclosure] pdirl PHP Directory Listing 1.0.4 - Cross Site Scripting Web Vulnerabilities
Index(es):
- Date
- Thread