๐ Twitter: Twitter Source Label allow 'mongolian vowel separator' U+180E (app name)
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Summary: Twitter app-names (which are shown in the Tweet source label) are supposed to be unique and because of that they must not include invisible unicode characters. However, you can use the mongolian vowel separator in these app-name, which allows to fake a app-name. Description: Every tweet has a ['Tweet source label'] (https://help.twitter.com/en/using-twitter/how-to-tweet#source-labels) which in my understanding is determined by the credentials provided when the POST statuses/update request is made to the twitter-api. This name/source is for example shown below a tweet in the Twitter-Web-App or the Android App or in the twitter-app authorization screen. Every source is registered by one specific twitter-developer-account. Therefore it should not be possible to use invisible characters in an app-name, because names would stop 'looking' unique. If you try for example to register a app with a name which includes a 'zero width space' (U+200B) you get the following error: "appName: The application name can't include invisible unicode characters". Despite this warning it's possible to use the 'mongolian vowel separator' U+180E within a app-name. The name is rendered like the name without this symbol (I tested this at least with the twitter-web app in Chrome on Windows and in Twitter for Android), but it's registered as a completely different application. Notice that a possible attack scenario, which is a bit more detactable, is using other unicode spaces for example from... ...