Slashdot Mirror

← Back to Stories (view on slashdot.org)

CNN iPhone App Sends iReporters' Passwords In the Clear

Posted by Unknown on from the safe-reporting dept.

chicksdaddy (814965) writes The Security Ledger reports on newly published research from the firm zScaler that reveals CNN's iPhone application transmits user login session information in clear text. The security flaw could leave users of the application vulnerable to having their login credential snooped by malicious actors on the same network or connected to the same insecure wifi hotspot. That's particularly bad news if you're one of CNN's iReporters — citizen journalists — who use the app to upload photos, video and other text as they report on breaking news events. According to a zScaler analysis, CNN's app for iPhone exposes user credentials in the clear both during initial setup of the account and in subsequent mobile sessions. The iPad version of the CNN app is not affected, nor is the CNN mobile application for Android. A spokesman for CNN said the company had a fix ready and was working with Apple to have it approved and released to the iTunes AppStore.

18 of 40 comments (clear)

  1. Security? In a crapp? by Anonymous Coward · · Score: 1

    Did anyone *really* expect a crapp to have any sort of security whatsoever?

    1. Re:Security? In a crapp? by fuzzyfuzzyfungus · · Score: 1

      Did anyone *really* expect a crapp to have any sort of security whatsoever?

      It's a trifle surprising given that the usual 'eh, let's just wrap our shit mobile website in a UIWebView and call it a day' school of 'app' development would likely have inherited SSL through sheer laziness, while whatever attempt at app development CNN attempted is apparently so dysfunctional as to be markedly worse than the state of website logins in general, and apparently so incoherent that the phone and tablet versions don't share login behavior...

      That seems like the sort of thing that takes effort to screw up.

  2. Waiting.... by gunner_von_diamond · · Score: 1

    A spokesman for CNN said the company had a fix ready and was working with Apple to have it approved and released to the iTunes AppStore.

    How many people are going to read this and take advantage of the flaw before Apple approves the release to the AppStore? That's one argument for Android. Not having to wait for releases of App updates.

    1. Re:Waiting.... by stephenmac7 · · Score: 2, Insightful

      Those "vetting eyeballs" seem to be incompetent if they let through an app sending passwords in plain text. They're probably just making sure you're not making a web browser (without webkit) app or something else Apple doesn't like.

      --
      "No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
    2. Re:Waiting.... by Richard_at_work · · Score: 2

      It depends what they are vetting - the security of a third party service is probably something they care little about.

    3. Re:Waiting.... by tlhIngan · · Score: 1

      How many people are going to read this and take advantage of the flaw before Apple approves the release to the AppStore? That's one argument for Android. Not having to wait for releases of App updates.

      Apple does allow for emergency updates that get you approved in about a day tops.

      Though the big question is what do you get with your login? What does it let you do? Do you have to pay for it or is it free?

      I mean, if it's only to submit news to CNN and comment on their posts, then really it's NBD that it's in the clear - not ideal, but really, you get to post news as someone else, whoop-di-do.

      Just like how you can log into ./ using a URL. Yay, so it's compromised and someone can post as me. Big freaking deal.

      (Oh, and you need to sniff the password while the user is using it, so while it's easy to do, practically speaking, I don't think you're that likely to encounter too many people using it to make it worthwhile).

    4. Re:Waiting.... by Noah+Haders · · Score: 1

      whaa? how can I log into calstart with a url? link or it didn't happen.

    5. Re:Waiting.... by Smerta · · Score: 1

      I think the real issue is that people tend to use the same login info on multiple websites. So even if having access to the victim's CNN profile is no big deal, having access to Clarence's Amazon login credentials is a whole different matter.

  3. No excuse by robstout · · Score: 2

    Come on people, it's 2014, not the 90s. Why is this stuff still happening?

    1. Re:No excuse by timrod · · Score: 3, Insightful

      It's still happening because everyone and their mother wants the ability to have exclusive ads and information gathering on people's mobile devices. This is why you see very few robust mobile websites, because it's more profitable to collect and sell user data gathered via a mobile app (as well as serving ads).

    2. Re:No excuse by Anonymous Coward · · Score: 1

      Come on people, it's 2014, not the 90s. Why is this stuff still happening?

      Do you honestly believe that if Facebook stopped using HTTPS tomorrow, people would stop logging in?

      People don't give a shit, and therefore coders don't give a shit. The only thing that matters is profit.

    3. Re:No excuse by gstoddart · · Score: 1

      There's an easy answer: companies are more interested in "ZOMG, we have to have teh app" then they are in spending time and resources in making the app not suck.

      Any app which goes out the door which is sending passwords in plaintext was either written by someone who was incompetent, or who was told by management to just ship the damned thing and get on with it.

      In my experience, it's usually the latter.

      And, since companies don't really bear any liability for implementing terrible security, I don't see this changing.

      My bet, there were a few people who knew this, pointed it out, and got told to STFU. If nobody knew about this, well, then we'll revert back to incompetence and people who have no idea of how to write for security.

      --
      Lost at C:>. Found at C.
    4. Re:No excuse by antdude · · Score: 1

      Because they care not? :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  4. "malicious actors" by BenSchuarmer · · Score: 1

    like Mark Wahlberg?

  5. Incompetent developers? by QuietLagoon · · Score: 3, Insightful
    Did CNN hire the most incompetent developers in the world to write this app?

    .
    Instead of talking about "malicious actors", the article should be talking about malicious developers.

    1. Re:Incompetent developers? by gstoddart · · Score: 2

      Instead of talking about "malicious actors", the article should be talking about malicious developers.

      Or, and I think this is more likely ... malicious management who is more interested in getting something out the door than giving a damn about how much it sucks.

      Find me a developer who has never been told to "just do it" and put some garbage out, and I'll show you a lucky (wo)man.

      From what I've seen, this is caused by the people who make the decisions deciding they don't want to wait, or spend the time implementing security.

      --
      Lost at C:>. Found at C.
  6. CNN? by Bodhammer · · Score: 4, Funny

    CNN has reporters? When did that start?

    --
    "I say we take off, nuke the site from orbit. It's the only way to be sure."
    1. Re:CNN? by rockabilly · · Score: 1

      CNN has reporters? When did that start?

      Ha! I'd mod you up if I could