Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Tweetbot Lack Of User Confirmation

🗓️ 03 Nov 2013 00:00:00Reported by Guillaume RossType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 43 Views

Tweetbot User Confirmation Issue, CVE-2013-572

Related
Code
ReporterTitlePublishedViews
Family
CVE		CVE-2013-5726
12 Nov 201320:00
cve
Cvelist		CVE-2013-5726
12 Nov 201320:00
cvelist
EUVD		EUVD-2013-5563
7 Oct 202500:30
euvd
NVD		CVE-2013-5726
12 Nov 201320:55
nvd
Prion		Design/Logic Flaw
12 Nov 201320:55
prion
RedhatCVE		CVE-2013-5726
22 May 202511:24
redhatcve
`- Affected Vendor: http://tapbots.com/  
- Affected Software: Tweetbot for Mac, iPad and iPhone  
- Affected Version: Mac: 1.3.3 - iPad: 2.8.5 - iPhone: 2.8.5  
- Issue Type: Lack of user confirmation leading to Twitter action revealing the user's Twitter identity  
- Release Date: November 1, 2013  
- Discovered by: Guillaume Ross   
- CVE Identifier: CVE-2013-5726   
- Issue Status: Vendor has published version 3 for iPhone which resolves the issue. Vendor has confirmed the fix is in the Mac and iOS V2 codebase and should be released soon.  
  
**Summary**  
  
Tweebot is a Twitter client for Mac and iOS. Separate iOS versions exist for iPhone and iPad.  
  
Tweetbot has a URL Scheme/association on all versions that allows actions to be triggered from within other applications. The supported actions can be viewed at http://tapbots.com/blog/development/tweetbot-url-scheme  
  
**Description**  
  
The actions related to following and favoriting do not prompt the user before performing the action. Additionally, Safari in iOS warns the user that an application will be launched only when the URL is used directly, but not when the URL is used within an inline frame. This makes the attack function without requiring user interaction.  
  
**Impact**  
  
A user browsing the web could click a malicious link or load a page containing a malicious link within an inline frame. The user would then favorite a tweet or follow a user account on Twitter. The attacker can use this action to identify the user browsing the page, to gather followers or to have the victim follow people they would be embarrassed to be associated with.  
  
**Proof of Concept**  
  
tweetbot:///follow/justinbieber  
  
This URL would have the user follow Justin Bieber. By embedding it in an inline frame, the attack is automated on iOS and on Mac.  
  
<iframe src="tweetbot:///follow/justinbieber"></iframe>  
  
**Response Timeline**  
  
- August 27 2013 - Vendor notified  
- August 27 2013 - Vendor acknowledges vulnerability  
- October 24 2013 - Tweetbot v3 for iPhone is released and resolves the issue  
- October 31 2013 - Vendor confirms the fix is in the V2 and Mac code base and will be released soon  
- November 1 2013 - Vulnerability Disclosed  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Nov 2013 00:00Current
6.8Medium risk
Vulners AI Score6.8
EPSS0.00292
tweetbotuser confirmationmacipadiphonetwitteridentityurl schemesafariiosattackproof of conceptvulnerabilitydisclosurevendorguillaume rosscve-2013-5726
43