I have given Login Via Twitter feature in my application, and recently checking whether it has the recently revealed SpoofedMe vulnerability. Now, when I tried to create the SpoofedMe scenario (create an account in Twitter without confirming the email ID, and login to my app with same ID), and it was found to be vulnerable. Does Twitter let users login via OAuth even though email is not verified?
Is there a special attribute in the user profile response? which I can use to verify whether the email of the user is verified or not?
Thanks in advance.