Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

CNN iPhone App Sends iReporters' Passwords In the Clear

Unknown Lamer posted about 4 months ago | from the safe-reporting dept.

Encryption 40

chicksdaddy (814965) writes The Security Ledger reports on newly published research from the firm zScaler that reveals CNN's iPhone application transmits user login session information in clear text. The security flaw could leave users of the application vulnerable to having their login credential snooped by malicious actors on the same network or connected to the same insecure wifi hotspot. That's particularly bad news if you're one of CNN's iReporters — citizen journalists — who use the app to upload photos, video and other text as they report on breaking news events. According to a zScaler analysis, CNN's app for iPhone exposes user credentials in the clear both during initial setup of the account and in subsequent mobile sessions. The iPad version of the CNN app is not affected, nor is the CNN mobile application for Android. A spokesman for CNN said the company had a fix ready and was working with Apple to have it approved and released to the iTunes AppStore.

Sorry! There are no comments related to the filter you selected.

Security? In a crapp? (1)

Anonymous Coward | about 4 months ago | (#47515579)

Did anyone *really* expect a crapp to have any sort of security whatsoever?

Re:Security? In a crapp? (0)

Anonymous Coward | about 4 months ago | (#47515999)

Offcourse it is Apple its fault for not auditing good enough to find these flaws.

Re:Security? In a crapp? (1)

fuzzyfuzzyfungus (1223518) | about 4 months ago | (#47516325)

Did anyone *really* expect a crapp to have any sort of security whatsoever?

It's a trifle surprising given that the usual 'eh, let's just wrap our shit mobile website in a UIWebView and call it a day' school of 'app' development would likely have inherited SSL through sheer laziness, while whatever attempt at app development CNN attempted is apparently so dysfunctional as to be markedly worse than the state of website logins in general, and apparently so incoherent that the phone and tablet versions don't share login behavior...

That seems like the sort of thing that takes effort to screw up.

Waiting.... (1)

gunner_von_diamond (3461783) | about 4 months ago | (#47515589)

A spokesman for CNN said the company had a fix ready and was working with Apple to have it approved and released to the iTunes AppStore.

How many people are going to read this and take advantage of the flaw before Apple approves the release to the AppStore? That's one argument for Android. Not having to wait for releases of App updates.

Re:Waiting.... (0)

Anonymous Coward | about 4 months ago | (#47515615)

" Not having to wait for releases of App updates. " - yeah, because you've skipped a round of vetting eyeballs.

Re:Waiting.... (2, Insightful)

stephenmac7 (2700151) | about 4 months ago | (#47515625)

Those "vetting eyeballs" seem to be incompetent if they let through an app sending passwords in plain text. They're probably just making sure you're not making a web browser (without webkit) app or something else Apple doesn't like.

Re:Waiting.... (0)

Anonymous Coward | about 4 months ago | (#47515691)

I think they're more interested in preventing compromise of their app store, as in trojans being sold as easter-eggs. You see those on android, not on istore.

Re:Waiting.... (2)

Richard_at_work (517087) | about 4 months ago | (#47515879)

It depends what they are vetting - the security of a third party service is probably something they care little about.

Re:Waiting.... (0)

Anonymous Coward | about 4 months ago | (#47515633)

That round of vetting eyeballs really helped here didn't it.

Re:Waiting.... (0)

Anonymous Coward | about 4 months ago | (#47515731)

If someone took advantage of the flaw, would anyone notice?

Re:Waiting.... (0)

Anonymous Coward | about 4 months ago | (#47515825)

A spokesman for CNN said the company had a fix ready and was working with Apple to have it approved and released to the iTunes AppStore.

How many people are going to read this and take advantage of the flaw before Apple approves the release to the AppStore?
That's one argument for Android. Not having to wait for releases of App updates.

Yup, that's one argument for Android alright...thinking that not waiting around for the official vetted update from Android and instead waiting on the (always honest and trusting) user community to conveniently supply one for you is somehow quick, convenient, and safe.

Good luck with that ignorance, along with the fact that Android will likely remain THE #1 targeted mobile platform. Have fun.

Re:Waiting.... (1)

tlhIngan (30335) | about 4 months ago | (#47516141)

How many people are going to read this and take advantage of the flaw before Apple approves the release to the AppStore? That's one argument for Android. Not having to wait for releases of App updates.

Apple does allow for emergency updates that get you approved in about a day tops.

Though the big question is what do you get with your login? What does it let you do? Do you have to pay for it or is it free?

I mean, if it's only to submit news to CNN and comment on their posts, then really it's NBD that it's in the clear - not ideal, but really, you get to post news as someone else, whoop-di-do.

Just like how you can log into ./ using a URL. Yay, so it's compromised and someone can post as me. Big freaking deal.

(Oh, and you need to sniff the password while the user is using it, so while it's easy to do, practically speaking, I don't think you're that likely to encounter too many people using it to make it worthwhile).

Re:Waiting.... (1)

Noah Haders (3621429) | about 4 months ago | (#47517703)

whaa? how can I log into calstart with a url? link or it didn't happen.

Re:Waiting.... (1)

Smerta (1855348) | about 3 months ago | (#47522201)

I think the real issue is that people tend to use the same login info on multiple websites. So even if having access to the victim's CNN profile is no big deal, having access to Clarence's Amazon login credentials is a whole different matter.

No excuse (2)

robstout (2873439) | about 4 months ago | (#47515703)

Come on people, it's 2014, not the 90s. Why is this stuff still happening?

Re:No excuse (3, Insightful)

Joe Gillian (3683399) | about 4 months ago | (#47515791)

It's still happening because everyone and their mother wants the ability to have exclusive ads and information gathering on people's mobile devices. This is why you see very few robust mobile websites, because it's more profitable to collect and sell user data gathered via a mobile app (as well as serving ads).

Re:No excuse (1)

Anonymous Coward | about 4 months ago | (#47515843)

Come on people, it's 2014, not the 90s. Why is this stuff still happening?

Do you honestly believe that if Facebook stopped using HTTPS tomorrow, people would stop logging in?

People don't give a shit, and therefore coders don't give a shit. The only thing that matters is profit.

Re:No excuse (1)

gstoddart (321705) | about 4 months ago | (#47515931)

There's an easy answer: companies are more interested in "ZOMG, we have to have teh app" then they are in spending time and resources in making the app not suck.

Any app which goes out the door which is sending passwords in plaintext was either written by someone who was incompetent, or who was told by management to just ship the damned thing and get on with it.

In my experience, it's usually the latter.

And, since companies don't really bear any liability for implementing terrible security, I don't see this changing.

My bet, there were a few people who knew this, pointed it out, and got told to STFU. If nobody knew about this, well, then we'll revert back to incompetence and people who have no idea of how to write for security.

Re:No excuse (-1)

Anonymous Coward | about 4 months ago | (#47516095)

And, since companies don't really bear any liability for implementing terrible security, I don't see this changing.

While it is terrible security, it is also a trivial vulnerability. It allows a third party who is actively packet-sniffing (not hard, but not universal either) to steal your credentials to access CNN's 'posts from nobodies' page. It's about as severe a risk as someone writing a letter to the newspaper using your name and return address on the envelope.

Re:No excuse (0)

Anonymous Coward | about 4 months ago | (#47516643)

of course unless they use that username and password elsewhere. Or if they're being somewhat malicious, they know the individual and know what some other account names are. Now if people were intelligent and didn't use the same password across important sites so their CNN password wasn't their bank password, no problem, but yeah....

Re:No excuse (1)

antdude (79039) | about 4 months ago | (#47518069)

Because they care not? :(

"malicious actors" (1)

BenSchuarmer (922752) | about 4 months ago | (#47515739)

like Mark Wahlberg?

Incompetent developers? (3, Insightful)

QuietLagoon (813062) | about 4 months ago | (#47515787)

Did CNN hire the most incompetent developers in the world to write this app?

.
Instead of talking about "malicious actors", the article should be talking about malicious developers.

Re:Incompetent developers? (0)

Anonymous Coward | about 4 months ago | (#47515845)

Did CNN hire the most incompetent developers in the world to write this app?.

No, they just asked iCoders to submit any apps they'd written and then posted them on the website.

Re:Incompetent developers? (2)

gstoddart (321705) | about 4 months ago | (#47516017)

Instead of talking about "malicious actors", the article should be talking about malicious developers.

Or, and I think this is more likely ... malicious management who is more interested in getting something out the door than giving a damn about how much it sucks.

Find me a developer who has never been told to "just do it" and put some garbage out, and I'll show you a lucky (wo)man.

From what I've seen, this is caused by the people who make the decisions deciding they don't want to wait, or spend the time implementing security.

Re:Incompetent developers? (0)

Anonymous Coward | about 4 months ago | (#47516119)

Irony here is all the reporting they've done about computers, technology, and security, especially passwords. In response to all that parroting about 'safety' of your information online, they seem to show what truly matters. Corporate incompetence.

Re:Incompetent developers? (0)

Anonymous Coward | about 4 months ago | (#47516551)

Corporate incompetence. did you expect anything else from the Crappy News Network?

Re:Incompetent developers? (0)

Anonymous Coward | about 4 months ago | (#47517489)

Speaking of incompetent developers, Slashdot's login sends passwords in the clear.

Re:Incompetent developers? (1)

trevc (1471197) | about 4 months ago | (#47517993)

OMG! OMG! OMG!

Re:Incompetent developers? (0)

Anonymous Coward | about 4 months ago | (#47518171)

Speaking of incompetent developers, Slashdot's login sends passwords in the clear.

That's actually not true, the form's target is https://slashdot.org/my/login [slashdot.org] .
Of course, this is not much better since it leaves you vulnerable to an sslstrip-like attack unless you check the site's source code and verify the form sends its data over HTTPS every time you login (Note that even that might not be engough, since e.g. Firefox makes a fresh HTTP request when you display the page source by pressing CTRL+u, meaning the source code you see there is not necesarrily the same that was used to render the page).

However, I fail to see what's newsworthy about this story. Don't get me wrong, sure it would be better if they used a properly encrypted channel or at least a cryptographically secure challenge-response authentication. But there are so many apps out there (even big, well-known ones) that still have cleartext logins or otherwise horrible security and nobody seems to care about them. A lot of websites are not much better. Heck, it wasn't until Arab spring that Facebook & co. rolled out HTTPS for all of its users. And apps are much worse. The majority of mobile apps that use some sort of remote profile have no security at all. Even some of the (sadly) most-used ones that are used to transmit much more private data than this app still struggle with proper encryption (WhatsApp comes to mind).

My guess is most otherwise technically knowledgeable people don't realize how bad mobile app security is because you usually don't see how an app transmits its data. On the web, at least there is a standardized protocol, and the users can see whether the traffic to a page is encrypted or not.

iPhone app different from iPad app? (0)

Anonymous Coward | about 4 months ago | (#47515827)

Doesn't anyone else find it disturbing that they seem to need to maintain a different app for iPad and iPhone? Both devices run iOS - the real difference is just screen size and phone dialer. I guess this came into play because of Apple's original insistence on one single screen resolution? Because this doesn't happen on Android. Sure, there are apps that don't look nice on a large screen tablet because the developer didn't deal with different resolutions well. But they do WORK and you don't need to maintain separate apps. More enlightened developers have apps that look great on both phones and tablets. Is it really required anymore to have separate apps for iOS or is this just another thing the CNN developers did wrong?

iPhone app different from iPad app? (0)

Anonymous Coward | about 4 months ago | (#47516111)

xcode guides you, actually almost forces you, to make a single application that works on all their iOS devices.

CNN went out of their way to make two different applications.

CNN? (4, Funny)

Bodhammer (559311) | about 4 months ago | (#47515969)

CNN has reporters? When did that start?

Re:CNN? (1)

rockabilly (468561) | about 4 months ago | (#47515991)

CNN has reporters? When did that start?

Ha! I'd mod you up if I could

Re:CNN? (0)

Anonymous Coward | about 4 months ago | (#47516129)

I think CNN used to have reporters.

Not sure when they all left, but it was before the first Gulf War started.

Re:CNN? (0)

Anonymous Coward | about 4 months ago | (#47519877)

CNN has reporters? When did that start?

I used to watch Chuck Roberts and Judy Fortin on CNN headline news during lunch. As a TEENAGER. That was quality news reporting. What's happened in the past 10-15 years has been absolutely abysmal to watch ... news networks that care more about profit than providing a public service. Still some rays of hope left - but not many.

majority (0)

Anonymous Coward | about 4 months ago | (#47516099)

I'm pretty sure a majority of apps send user credentials in cleartext. We just don't know about it cause no one's looked into it.

yuo Fai7 It... (-1)

Anonymous Coward | about 4 months ago | (#47516203)

a sad world. At New core is going fear the reaper would mar BSD's gave the BSD milestones, telling schemes. Frankly show that FreeBSD project returns *BSD is dying It is A previously hand...don't more grandiose NIGGER ASSOCIATION ass until I hit my nearly two years like they are Come offended some TO THE TRANSMISSION Prima donnas to Duty to be a big use the sling. of a solid dose rivalry, and we'll invited back again. the pub7ic eye: appeared...saying community at recruitment, but hype - BSD's Creek, abysmal I burnt out. I You don't need to We need to address

Open source (0)

Anonymous Coward | about 4 months ago | (#47516311)

They heard "open" means "secure", but they never got the details

SMH (0)

Anonymous Coward | about 4 months ago | (#47516731)

It's 2014, whoever thought it was a good idea to send plain text passwords should be fired.. I doubt CNN is the only one that does it, but still we should be past this type of shit.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?