CNN iPhone App Sends iReporters' Passwords In the Clear

chicksdaddy (814965) writes The Security Ledger reports on newly published research from the firm zScaler that reveals CNN's iPhone application transmits user login session information in clear text. The security flaw could leave users of the application vulnerable to having their login credential snooped by malicious actors on the same network or connected to the same insecure wifi hotspot. That's particularly bad news if you're one of CNN's iReporters — citizen journalists — who use the app to upload photos, video and other text as they report on breaking news events. According to a zScaler analysis, CNN's app for iPhone exposes user credentials in the clear both during initial setup of the account and in subsequent mobile sessions. The iPad version of the CNN app is not affected, nor is the CNN mobile application for Android. A spokesman for CNN said the company had a fix ready and was working with Apple to have it approved and released to the iTunes AppStore.

Security? In a crapp?

[Anonymous Coward]

Did anyone *really* expect a crapp to have any sort of security whatsoever?

Re:

[fuzzyfuzzyfungus]

Did anyone *really* expect a crapp to have any sort of security whatsoever?

It's a trifle surprising given that the usual 'eh, let's just wrap our shit mobile website in a UIWebView and call it a day' school of 'app' development would likely have inherited SSL through sheer laziness, while whatever attempt at app development CNN attempted is apparently so dysfunctional as to be markedly worse than the state of website logins in general, and apparently so incoherent that the phone and tablet versions don't share login behavior...

That seems like the sort of thing that takes effort

Waiting....

[gunner_von_diamond]

A spokesman for CNN said the company had a fix ready and was working with Apple to have it approved and released to the iTunes AppStore.

How many people are going to read this and take advantage of the flaw before Apple approves the release to the AppStore? That's one argument for Android. Not having to wait for releases of App updates.

Re:

[stephenmac7]

Those "vetting eyeballs" seem to be incompetent if they let through an app sending passwords in plain text. They're probably just making sure you're not making a web browser (without webkit) app or something else Apple doesn't like.

Re:

[Richard_at_work]

It depends what they are vetting - the security of a third party service is probably something they care little about.

Re:

[tlhIngan]

How many people are going to read this and take advantage of the flaw before Apple approves the release to the AppStore? That's one argument for Android. Not having to wait for releases of App updates.

Apple does allow for emergency updates that get you approved in about a day tops.

Though the big question is what do you get with your login? What does it let you do? Do you have to pay for it or is it free?

I mean, if it's only to submit news to CNN and comment on their posts, then really it's NBD that it's in

Re:

[Noah Haders]

whaa? how can I log into calstart with a url? link or it didn't happen.

Re:

[Smerta]

I think the real issue is that people tend to use the same login info on multiple websites. So even if having access to the victim's CNN profile is no big deal, having access to Clarence's Amazon login credentials is a whole different matter.

No excuse

[robstout]

Come on people, it's 2014, not the 90s. Why is this stuff still happening?

Re:No excuse

[Joe Gillian]

It's still happening because everyone and their mother wants the ability to have exclusive ads and information gathering on people's mobile devices. This is why you see very few robust mobile websites, because it's more profitable to collect and sell user data gathered via a mobile app (as well as serving ads).

Re:

[Anonymous Coward]

Come on people, it's 2014, not the 90s. Why is this stuff still happening?

Do you honestly believe that if Facebook stopped using HTTPS tomorrow, people would stop logging in?

People don't give a shit, and therefore coders don't give a shit. The only thing that matters is profit.

Re:

[gstoddart]

There's an easy answer: companies are more interested in "ZOMG, we have to have teh app" then they are in spending time and resources in making the app not suck.

Any app which goes out the door which is sending passwords in plaintext was either written by someone who was incompetent, or who was told by management to just ship the damned thing and get on with it.

In my experience, it's usually the latter.

And, since companies don't really bear any liability for implementing terrible security, I don't see this

Re:

[antdude]

Because they care not? :(

"malicious actors"

[BenSchuarmer]

like Mark Wahlberg?

Incompetent developers?

[QuietLagoon]

Did CNN hire the most incompetent developers in the world to write this app?

.
Instead of talking about "malicious actors", the article should be talking about malicious developers.

Re:

[gstoddart]

Instead of talking about "malicious actors", the article should be talking about malicious developers.

Or, and I think this is more likely ... malicious management who is more interested in getting something out the door than giving a damn about how much it sucks.

Find me a developer who has never been told to "just do it" and put some garbage out, and I'll show you a lucky (wo)man.

From what I've seen, this is caused by the people who make the decisions deciding they don't want to wait, or spend the time impl

CNN?

[Bodhammer]

CNN has reporters? When did that start?

Re:

[rockabilly]

CNN has reporters? When did that start?

Ha! I'd mod you up if I could