Slashdot Mirror

← Back to Stories (view on slashdot.org)

CNN iPhone App Sends iReporters' Passwords In the Clear

Posted by Unknown on from the safe-reporting dept.

chicksdaddy (814965) writes The Security Ledger reports on newly published research from the firm zScaler that reveals CNN's iPhone application transmits user login session information in clear text. The security flaw could leave users of the application vulnerable to having their login credential snooped by malicious actors on the same network or connected to the same insecure wifi hotspot. That's particularly bad news if you're one of CNN's iReporters — citizen journalists — who use the app to upload photos, video and other text as they report on breaking news events. According to a zScaler analysis, CNN's app for iPhone exposes user credentials in the clear both during initial setup of the account and in subsequent mobile sessions. The iPad version of the CNN app is not affected, nor is the CNN mobile application for Android. A spokesman for CNN said the company had a fix ready and was working with Apple to have it approved and released to the iTunes AppStore.

7 of 40 comments (clear)

  1. Re:Waiting.... by stephenmac7 · · Score: 2, Insightful

    Those "vetting eyeballs" seem to be incompetent if they let through an app sending passwords in plain text. They're probably just making sure you're not making a web browser (without webkit) app or something else Apple doesn't like.

    --
    "No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
  2. No excuse by robstout · · Score: 2

    Come on people, it's 2014, not the 90s. Why is this stuff still happening?

    1. Re:No excuse by timrod · · Score: 3, Insightful

      It's still happening because everyone and their mother wants the ability to have exclusive ads and information gathering on people's mobile devices. This is why you see very few robust mobile websites, because it's more profitable to collect and sell user data gathered via a mobile app (as well as serving ads).

  3. Incompetent developers? by QuietLagoon · · Score: 3, Insightful
    Did CNN hire the most incompetent developers in the world to write this app?

    .
    Instead of talking about "malicious actors", the article should be talking about malicious developers.

    1. Re:Incompetent developers? by gstoddart · · Score: 2

      Instead of talking about "malicious actors", the article should be talking about malicious developers.

      Or, and I think this is more likely ... malicious management who is more interested in getting something out the door than giving a damn about how much it sucks.

      Find me a developer who has never been told to "just do it" and put some garbage out, and I'll show you a lucky (wo)man.

      From what I've seen, this is caused by the people who make the decisions deciding they don't want to wait, or spend the time implementing security.

      --
      Lost at C:>. Found at C.
  4. Re:Waiting.... by Richard_at_work · · Score: 2

    It depends what they are vetting - the security of a third party service is probably something they care little about.

  5. CNN? by Bodhammer · · Score: 4, Funny

    CNN has reporters? When did that start?

    --
    "I say we take off, nuke the site from orbit. It's the only way to be sure."