CVE-2019-5431

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2019-5431

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-5431.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2019-5431

Published

2019-05-06T17:29:00.480Z

Modified

2025-11-14T09:49:14.148332Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

This vulnerability was caused by an incomplete fix to CVE-2017-0911. Twitter Kit for iOS versions 3.0 to 3.4.0 is vulnerable to a callback verification flaw in the "Login with Twitter" component allowing an attacker to provide alternate credentials. In the final step of "Login with Twitter" authentication information is passed back to the application using the registered custom URL scheme (typically twitterkit-<consumer-key>) on iOS. Because the callback handler did not verify the authenticity of the response, this step is vulnerable to forgery, potentially allowing attacker to associate a Twitter account with a third-party service.

References

https://blog.twitter.com/developer/en_us/topics/tips/2018/vulnerability-in-twitter-kit-for-ios.html

Affected packages

Git / github.com/twitter/twitter-kit-ios

Affected ranges

Type: GIT
Repo: https://github.com/twitter/twitter-kit-ios
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

bb96560053991e2515a6d3612aeaa58b6aacaebd

Affected versions

v3.*

v3.4.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-5431.json"