Design/Logic Flaw

2013-11-1220:55:00

PRIOn knowledge base

www.prio-n.com

7.3 High

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

71.6%

JSON

Tweetbot 1.3.3 for Mac, and 2.8.5 for iPad and iPhone, does not require confirmation of (1) follow or (2) favorite actions, which allows remote attackers to automatically force the user to perform undesired actions, as demonstrated via the tweetbot:///follow/ URL.

CPENameOperatorVersion
tweetboteq1.3.3
tweetboteq2.8.5
tweetboteq2.8.5

Name	Operator	Version
tweetbot	eq	1.3.3
tweetbot	eq	2.8.5
tweetbot	eq	2.8.5

References

blog.binaryfactory.ca/2013/11/cve-2013-5726-tweetbot-for-ios-and-mac-user-disclosureprivacy-issue/

osvdb.org/99256

seclists.org/fulldisclosure/2013/Nov/9