Results 1 to 3 of 3

Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.

Thread: Security Researchers Find Out Login Information Is Being Exposed On CNN iPhone App

  1. #1
    What's Jailbreak? Akshay Masand's Avatar
    Join Date
    Sep 2011
    New York City
    Thanked 200 Times in 179 Posts

    Default Security Researchers Find Out Login Information Is Being Exposed On CNN iPhone App

    A security flaw in CNN’s iPhone app was reported by security researchers over at Zscaler, and the flaw apparently exposes passwords and logins of users. iPhone’s CNN app has an iReport feature that lets users sign-up and submit new stories that are out, but has been reported of not using SSL encryption for the login. However, reports claim that the iPad CNN app does not have the same vulnerability since the iPad does not currently have the iReport feature.

    The current CNN for iPhone App (verified on Version 2.30 (Build 4948)) has a key weakness whereby passwords for iReport accounts are sent in clear text (unencrypted). While this is always a problem, it’s especially concerning that this relates to functionality which permits people to anonymously submit news stories to CNN. This occurs both when a user first creates their iReport account and during any subsequent logins.

    As can be seen, both transmissions are sent in clear text (HTTP) and the password ([email protected]) is sent unencrypted, along with all other registration/login information. The concern here is that anyone on the same network as the user could easily sniff the victim’s password and access their account. Once obtained, the attacker could access the iReport account of the user and compromise their anonymity. The same credentials could be used to access the user’s web based iReport account where any past submissions are also accessible.
    It was reported that CNN has been notified by Zscaler on July 15th but the company is still investigating the flaw. iPhone’s CNN app recently received an update that claims to have ‘bug fixes’ in the release notes. The company has not yet confirmed if the security flaw detailed by Zscaler, is addressed in the update.

    Source: Zscaler

    Twitter: @AkshayMasand

  2. #2
    Glad I don't have the cnn app. And of course it's not fixed. They prolly just did a quick update to nothing and say big fixes to make people feel all warm and fuzzy inside until they figure out what's going on

    Sent from my iPhone using ModMyi

  3. #3
    gee... you would think this would be worthy of a CNN breaking news update... however I can't find anything about it on their site.

Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts