Breaking

Plume Twitter Client URL Spoofing

It is possible to spoof the URLs that Plume will open to arbitrary locations because of how Plume parses URLs. The preview of an URL in a tweet will show the complete (at least the host name and the first few chars of the URL) but shortened URL. However, if the URL contains a semicolon (;) the URL that will be opened is the part after the semicolon.

An attacker can make use of this behavior by specifying a URL like the following in a Tweet or direct message:

https://insinutaor.net/2018/05/security-of;https://www.ernw.de

Plume will display the first part of the URL and shorten the URL like this:

A user will think this is a valid link going to insinuator.net/2018/05/securi.... However, when clicking that link the URL https://www.ernw.de will be opened. This is a prime target for phishing attacks or tricking people into clicking on malicious links.

Affected Version

The affected version is at least Android Plume <= 6.30.2 (630190). There is only a partial fix implemented right now that prevents the spoofed link to be opened only for the first time a user clicks on it.

Disclosure Timeline

This bug has been disclosed to Ubermedia on May 19th. A disclosure date was set to 30 days.

I confirmed a partial fix on August 16th and noted that the issue still persists. Disclosure date was delayed to September 30th.

Final contact with a request for an updated status on November 16th was unanswered by the support since.

Leave a Reply

Your email address will not be published.