
A security flaw in CNN’s iPhone app was reported by security researchers over at Zscaler, and the flaw apparently exposes passwords and logins of users. iPhone’s CNN app has an iReport feature that lets users sign-up and submit new stories that are out, but has been reported of not using SSL encryption for the login. However, reports claim that the iPad CNN app does not have the same vulnerability since the iPad does not currently have the iReport feature.
The current CNN for iPhone App (verified on Version 2.30 (Build 4948)) has a key weakness whereby passwords for iReport accounts are sent in clear text (unencrypted). While this is always a problem, it’s especially concerning that this relates to functionality which permits people to anonymously submit news stories to CNN. This occurs both when a user first creates their iReport account and during any subsequent logins.
As can be seen, both transmissions are sent in clear text (HTTP) and the password ([email protected]) is sent unencrypted, along with all other registration/login information. The concern here is that anyone on the same network as the user could easily sniff the victim’s password and access their account. Once obtained, the attacker could access the iReport account of the user and compromise their anonymity. The same credentials could be used to access the user’s web based iReport account where any past submissions are also accessible.
As can be seen, both transmissions are sent in clear text (HTTP) and the password ([email protected]) is sent unencrypted, along with all other registration/login information. The concern here is that anyone on the same network as the user could easily sniff the victim’s password and access their account. Once obtained, the attacker could access the iReport account of the user and compromise their anonymity. The same credentials could be used to access the user’s web based iReport account where any past submissions are also accessible.
Source: Zscaler
Message