• Security Researchers Find Out Login Information Is Being Exposed On CNN iPhone App

    A security flaw in CNN’s iPhone app was reported by security researchers over at Zscaler, and the flaw apparently exposes passwords and logins of users. iPhone’s CNN app has an iReport feature that lets users sign-up and submit new stories that are out, but has been reported of not using SSL encryption for the login. However, reports claim that the iPad CNN app does not have the same vulnerability since the iPad does not currently have the iReport feature.

    The current CNN for iPhone App (verified on Version 2.30 (Build 4948)) has a key weakness whereby passwords for iReport accounts are sent in clear text (unencrypted). While this is always a problem, it’s especially concerning that this relates to functionality which permits people to anonymously submit news stories to CNN. This occurs both when a user first creates their iReport account and during any subsequent logins.

    As can be seen, both transmissions are sent in clear text (HTTP) and the password ([email protected]) is sent unencrypted, along with all other registration/login information. The concern here is that anyone on the same network as the user could easily sniff the victim’s password and access their account. Once obtained, the attacker could access the iReport account of the user and compromise their anonymity. The same credentials could be used to access the user’s web based iReport account where any past submissions are also accessible.
    It was reported that CNN has been notified by Zscaler on July 15th but the company is still investigating the flaw. iPhone’s CNN app recently received an update that claims to have ‘bug fixes’ in the release notes. The company has not yet confirmed if the security flaw detailed by Zscaler, is addressed in the update.

    Source: Zscaler
    This article was originally published in forum thread: Security Researchers Find Out Login Information Is Being Exposed On CNN iPhone App started by Akshay Masand View original post
    Comments 2 Comments
    1. Silverado1987's Avatar
      Silverado1987 -
      Glad I don't have the cnn app. And of course it's not fixed. They prolly just did a quick update to nothing and say big fixes to make people feel all warm and fuzzy inside until they figure out what's going on

      Sent from my iPhone using ModMyi
    1. cyberjunkyfreak's Avatar
      cyberjunkyfreak -
      gee... you would think this would be worthy of a CNN breaking news update... however I can't find anything about it on their site.

  • Connect With Us

  • Twitter Box

  • Facebook