CNN iPhone App Sends iReporters' Passwords In the Clear

← Back to Stories (view on slashdot.org)

CNN iPhone App Sends iReporters' Passwords In the Clear

Posted by Unknown on Wednesday July 23, 2014 @02:55AM from the safe-reporting dept.

chicksdaddy (814965) writes The Security Ledger reports on newly published research from the firm zScaler that reveals CNN's iPhone application transmits user login session information in clear text. The security flaw could leave users of the application vulnerable to having their login credential snooped by malicious actors on the same network or connected to the same insecure wifi hotspot. That's particularly bad news if you're one of CNN's iReporters — citizen journalists — who use the app to upload photos, video and other text as they report on breaking news events. According to a zScaler analysis, CNN's app for iPhone exposes user credentials in the clear both during initial setup of the account and in subsequent mobile sessions. The iPad version of the CNN app is not affected, nor is the CNN mobile application for Android. A spokesman for CNN said the company had a fix ready and was working with Apple to have it approved and released to the iTunes AppStore.

40 comments

Min score:

Reason:

Sort:

Security? In a crapp? by Anonymous Coward · 2014-07-23 03:00 · Score: 1

Did anyone *really* expect a crapp to have any sort of security whatsoever?
1. Re:Security? In a crapp? by Anonymous Coward · 2014-07-23 03:51 · Score: 0
  
  Offcourse it is Apple its fault for not auditing good enough to find these flaws.
2. Re:Security? In a crapp? by fuzzyfuzzyfungus · 2014-07-23 04:37 · Score: 1
  
  Did anyone *really* expect a crapp to have any sort of security whatsoever?
  It's a trifle surprising given that the usual 'eh, let's just wrap our shit mobile website in a UIWebView and call it a day' school of 'app' development would likely have inherited SSL through sheer laziness, while whatever attempt at app development CNN attempted is apparently so dysfunctional as to be markedly worse than the state of website logins in general, and apparently so incoherent that the phone and tablet versions don't share login behavior...
  
  That seems like the sort of thing that takes effort to screw up.
Waiting.... by gunner_von_diamond · 2014-07-23 03:01 · Score: 1

A spokesman for CNN said the company had a fix ready and was working with Apple to have it approved and released to the iTunes AppStore.

How many people are going to read this and take advantage of the flaw before Apple approves the release to the AppStore? That's one argument for Android. Not having to wait for releases of App updates.
1. Re:Waiting.... by Anonymous Coward · 2014-07-23 03:04 · Score: 0
  
  " Not having to wait for releases of App updates. " - yeah, because you've skipped a round of vetting eyeballs.
2. Re:Waiting.... by stephenmac7 · 2014-07-23 03:07 · Score: 2, Insightful
  
  Those "vetting eyeballs" seem to be incompetent if they let through an app sending passwords in plain text. They're probably just making sure you're not making a web browser (without webkit) app or something else Apple doesn't like.
  
  --
  "No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
3. Re:Waiting.... by Anonymous Coward · 2014-07-23 03:08 · Score: 0
  
  That round of vetting eyeballs really helped here didn't it.
4. Re:Waiting.... by Anonymous Coward · 2014-07-23 03:16 · Score: 0
  
  I think they're more interested in preventing compromise of their app store, as in trojans being sold as easter-eggs. You see those on android, not on istore.
5. Re:Waiting.... by Anonymous Coward · 2014-07-23 03:20 · Score: 0
  
  If someone took advantage of the flaw, would anyone notice?
6. Re:Waiting.... by Anonymous Coward · 2014-07-23 03:32 · Score: 0
  
  A spokesman for CNN said the company had a fix ready and was working with Apple to have it approved and released to the iTunes AppStore.
  How many people are going to read this and take advantage of the flaw before Apple approves the release to the AppStore?
  That's one argument for Android. Not having to wait for releases of App updates.
  Yup, that's one argument for Android alright...thinking that not waiting around for the official vetted update from Android and instead waiting on the (always honest and trusting) user community to conveniently supply one for you is somehow quick, convenient, and safe.
  Good luck with that ignorance, along with the fact that Android will likely remain THE #1 targeted mobile platform. Have fun.
7. Re:Waiting.... by Richard_at_work · 2014-07-23 03:38 · Score: 2
  
  It depends what they are vetting - the security of a third party service is probably something they care little about.
8. Re:Waiting.... by tlhIngan · 2014-07-23 04:12 · Score: 1
  
  How many people are going to read this and take advantage of the flaw before Apple approves the release to the AppStore? That's one argument for Android. Not having to wait for releases of App updates.
  Apple does allow for emergency updates that get you approved in about a day tops.
  Though the big question is what do you get with your login? What does it let you do? Do you have to pay for it or is it free?
  I mean, if it's only to submit news to CNN and comment on their posts, then really it's NBD that it's in the clear - not ideal, but really, you get to post news as someone else, whoop-di-do.
  Just like how you can log into ./ using a URL. Yay, so it's compromised and someone can post as me. Big freaking deal.
  (Oh, and you need to sniff the password while the user is using it, so while it's easy to do, practically speaking, I don't think you're that likely to encounter too many people using it to make it worthwhile).
9. Re:Waiting.... by Noah+Haders · 2014-07-23 07:46 · Score: 1
  
  whaa? how can I log into calstart with a url? link or it didn't happen.
10. Re:Waiting.... by Smerta · 2014-07-24 02:01 · Score: 1
  
  I think the real issue is that people tend to use the same login info on multiple websites. So even if having access to the victim's CNN profile is no big deal, having access to Clarence's Amazon login credentials is a whole different matter.
No excuse by robstout · 2014-07-23 03:16 · Score: 2

Come on people, it's 2014, not the 90s. Why is this stuff still happening?
1. Re:No excuse by timrod · 2014-07-23 03:27 · Score: 3, Insightful
  
  It's still happening because everyone and their mother wants the ability to have exclusive ads and information gathering on people's mobile devices. This is why you see very few robust mobile websites, because it's more profitable to collect and sell user data gathered via a mobile app (as well as serving ads).
2. Re:No excuse by Anonymous Coward · 2014-07-23 03:35 · Score: 1
  
  Come on people, it's 2014, not the 90s. Why is this stuff still happening?
  Do you honestly believe that if Facebook stopped using HTTPS tomorrow, people would stop logging in?
  People don't give a shit, and therefore coders don't give a shit. The only thing that matters is profit.
3. Re:No excuse by gstoddart · 2014-07-23 03:44 · Score: 1
  
  There's an easy answer: companies are more interested in "ZOMG, we have to have teh app" then they are in spending time and resources in making the app not suck.
  Any app which goes out the door which is sending passwords in plaintext was either written by someone who was incompetent, or who was told by management to just ship the damned thing and get on with it.
  In my experience, it's usually the latter.
  And, since companies don't really bear any liability for implementing terrible security, I don't see this changing.
  My bet, there were a few people who knew this, pointed it out, and got told to STFU. If nobody knew about this, well, then we'll revert back to incompetence and people who have no idea of how to write for security.
  
  --
  Lost at C:>. Found at C.
4. Re:No excuse by Anonymous Coward · 2014-07-23 05:21 · Score: 0
  
  of course unless they use that username and password elsewhere. Or if they're being somewhat malicious, they know the individual and know what some other account names are. Now if people were intelligent and didn't use the same password across important sites so their CNN password wasn't their bank password, no problem, but yeah....
5. Re:No excuse by antdude · 2014-07-23 08:30 · Score: 1
  
  Because they care not? :(
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
"malicious actors" by BenSchuarmer · 2014-07-23 03:21 · Score: 1

like Mark Wahlberg?
Incompetent developers? by QuietLagoon · 2014-07-23 03:27 · Score: 3, Insightful

Did CNN hire the most incompetent developers in the world to write this app?
.
Instead of talking about "malicious actors", the article should be talking about malicious developers.
1. Re:Incompetent developers? by Anonymous Coward · 2014-07-23 03:35 · Score: 0
  
  Did CNN hire the most incompetent developers in the world to write this app?.
  No, they just asked iCoders to submit any apps they'd written and then posted them on the website.
2. Re:Incompetent developers? by gstoddart · 2014-07-23 03:53 · Score: 2
  
  Instead of talking about "malicious actors", the article should be talking about malicious developers.
  Or, and I think this is more likely ... malicious management who is more interested in getting something out the door than giving a damn about how much it sucks.
  Find me a developer who has never been told to "just do it" and put some garbage out, and I'll show you a lucky (wo)man.
  From what I've seen, this is caused by the people who make the decisions deciding they don't want to wait, or spend the time implementing security.
  
  --
  Lost at C:>. Found at C.
3. Re:Incompetent developers? by Anonymous Coward · 2014-07-23 04:08 · Score: 0
  
  Irony here is all the reporting they've done about computers, technology, and security, especially passwords. In response to all that parroting about 'safety' of your information online, they seem to show what truly matters. Corporate incompetence.
4. Re:Incompetent developers? by Anonymous Coward · 2014-07-23 05:09 · Score: 0
  
  Corporate incompetence. did you expect anything else from the Crappy News Network?
5. Re:Incompetent developers? by Anonymous Coward · 2014-07-23 07:16 · Score: 0
  
  Speaking of incompetent developers, Slashdot's login sends passwords in the clear.
6. Re:Incompetent developers? by Anonymous Coward · 2014-07-23 08:44 · Score: 0
  
  Speaking of incompetent developers, Slashdot's login sends passwords in the clear.
  That's actually not true, the form's target is https://slashdot.org/my/login.
  Of course, this is not much better since it leaves you vulnerable to an sslstrip-like attack unless you check the site's source code and verify the form sends its data over HTTPS every time you login (Note that even that might not be engough, since e.g. Firefox makes a fresh HTTP request when you display the page source by pressing CTRL+u, meaning the source code you see there is not necesarrily the same that was used to render the page).
  However, I fail to see what's newsworthy about this story. Don't get me wrong, sure it would be better if they used a properly encrypted channel or at least a cryptographically secure challenge-response authentication. But there are so many apps out there (even big, well-known ones) that still have cleartext logins or otherwise horrible security and nobody seems to care about them. A lot of websites are not much better. Heck, it wasn't until Arab spring that Facebook & co. rolled out HTTPS for all of its users. And apps are much worse. The majority of mobile apps that use some sort of remote profile have no security at all. Even some of the (sadly) most-used ones that are used to transmit much more private data than this app still struggle with proper encryption (WhatsApp comes to mind).
  My guess is most otherwise technically knowledgeable people don't realize how bad mobile app security is because you usually don't see how an app transmits its data. On the web, at least there is a standardized protocol, and the users can see whether the traffic to a page is encrypted or not.
iPhone app different from iPad app? by Anonymous Coward · 2014-07-23 03:33 · Score: 0

Doesn't anyone else find it disturbing that they seem to need to maintain a different app for iPad and iPhone? Both devices run iOS - the real difference is just screen size and phone dialer. I guess this came into play because of Apple's original insistence on one single screen resolution? Because this doesn't happen on Android. Sure, there are apps that don't look nice on a large screen tablet because the developer didn't deal with different resolutions well. But they do WORK and you don't need to maintain separate apps. More enlightened developers have apps that look great on both phones and tablets. Is it really required anymore to have separate apps for iOS or is this just another thing the CNN developers did wrong?
CNN? by Bodhammer · 2014-07-23 03:48 · Score: 4, Funny

CNN has reporters? When did that start?

--
"I say we take off, nuke the site from orbit. It's the only way to be sure."
1. Re:CNN? by rockabilly · 2014-07-23 03:50 · Score: 1
  
  CNN has reporters? When did that start?
  Ha! I'd mod you up if I could
2. Re:CNN? by Anonymous Coward · 2014-07-23 04:10 · Score: 0
  
  I think CNN used to have reporters.
  Not sure when they all left, but it was before the first Gulf War started.
3. Re:CNN? by Anonymous Coward · 2014-07-23 13:07 · Score: 0
  
  CNN has reporters? When did that start?
  I used to watch Chuck Roberts and Judy Fortin on CNN headline news during lunch. As a TEENAGER. That was quality news reporting. What's happened in the past 10-15 years has been absolutely abysmal to watch ... news networks that care more about profit than providing a public service. Still some rays of hope left - but not many.
majority by Anonymous Coward · 2014-07-23 04:05 · Score: 0

I'm pretty sure a majority of apps send user credentials in cleartext. We just don't know about it cause no one's looked into it.
iPhone app different from iPad app? by Anonymous Coward · 2014-07-23 04:06 · Score: 0

xcode guides you, actually almost forces you, to make a single application that works on all their iOS devices.
CNN went out of their way to make two different applications.
Open source by Anonymous Coward · 2014-07-23 04:35 · Score: 0

They heard "open" means "secure", but they never got the details
SMH by Anonymous Coward · 2014-07-23 05:32 · Score: 0

It's 2014, whoever thought it was a good idea to send plain text passwords should be fired.. I doubt CNN is the only one that does it, but still we should be past this type of shit.