How does Twitter fixed SpoofedMe vulnerability?


#1

I have given Login Via Twitter feature in my application, and recently checking whether it has the recently revealed SpoofedMe vulnerability. Now, when I tried to create the SpoofedMe scenario (create an account in Twitter without confirming the email ID, and login to my app with same ID), and it was found to be vulnerable. Does Twitter let users login via OAuth even though email is not verified?

Is there a special attribute in the user profile response? which I can use to verify whether the email of the user is verified or not?

Thanks in advance.


#2

Twitter would not be vulnerable to SpoofedMe since Sign in with Twitter does not provide access to a users email address. SpoofedMe works by relying parties trusting that identity providers have verified user access to an email account. Twitter makes no such claims re email, only that they user has access to authenticated Twitter account.