Monday, July 21, 2014

Mobile App Wall of Shame: CNN App for iPhone

Price: Free
Category: News
Updated: Jul 11, 2014
Version: Version 2.30 (Build 4948)
Size: 21.8 MB
Language: English
Vendor: CNN Interactive Group, Inc.
Operating System: iOS

Background

iReport account setting
The CNN App for iPhone is one of the most popular news applications available for the iPhone. At present, it is sitting at #2 in the iTunes free News app category and #165 among all free apps. Along with providing news stories, alerts and live video, it also includes iReport functionality, allowing users to upload photos, video and narrative to contribute to CNN news reports. The functionality includes the ability to register for an account by providing an email address, username and password. Users can optionally provide a real name and phone number. Logging into an existing iReport account or creating a new account can be accessed via More à Settings àiReport in the main menu. The user can then access the iReport Assignments section, which is accessible via This is CNNàiReport in the main Menu.



Vulnerability – Clear Text Passwords

iReport Functionality
The current CNN for iPhone App (verified on Version 2.30 (Build 4948)) has a key weakness whereby passwords for iReport accounts are sent in clear text (unencrypted). While this is always a problem, it's especially concerning that this relates to functionality which permits people to anonymously submit news stories to CNN. This occurs both when a user first creates their iReport account and during any subsequent logins. Traffic sniffed from the app using Zscaler's free ZAP tool illustrates the problem.






Initial Account Registration

[-]  Method: POST
User-Agent: CNN/4948 (iPad; iOS 7.1.2; Scale/2.00)
Request Body: nowrap=true&termsOfService=true&displayname=zscaler&password=p%40ssword&privacy=domestic_version&email=zscalertest%40zscaler%2Ecom&kaptcha=3dbgc

Subsequent Login

[-]  Method: POST
User-Agent: CNN/4948 (iPad; iOS 7.1.2; Scale/2.00)
Request Body: doSso=false&password=p%40ssword&email=zscalertest%40zscaler%2Ecom&nowrap=true
Server Response:{ , "status":"success"}

As can be seen, both transmissions are sent in clear text (HTTP) and the password (p@ssword) is sent unencrypted, along with all other registration/login information. The concern here is that anyone on the same network as the user could easily sniff the victim's password and access their account. Once obtained, the attacker could access the iReport account of the user and compromise their anonymity. The same credentials could be used to access the user's web based iReport account where any past submissions are also accessible.

ZAP Analysis:
ZAP analysis
We have tested other CNN mobile apps and found that the Android app does not have this same vulnerability as it uses both SSL encryption for registration/login and SSL certificate pinning. The iReport functionality is not present in the CNN iPad application. The vulnerability was reported to CNN on July 15th. They acknowledged receipt of the report and indicated that they are investigating.

Conclusion

Unfortunately, it isn’t difficult to identify mobile applications that send authentication credentials in clear text. As mentioned, this was easily identified in a few minutes leveraging ZAP. For end users however, such flaws aren’t as evident. In a web application, a user knows immediately when sensitive information is sent in clear text, as they don’t see the familiar lock and key symbol in their browser or HTTPS in the URL bar. Such feedback is not available in a mobile application, despite the fact that it is sending the same content. End users must rely on both the app developers and app store gatekeepers to prevent such flaws from being exposed in the first place. This vulnerability could easily have been caught by Apple during the vetting process that they subject new applications to before including them in the app store, but our research has shown us that Apple and Google simply aren’t looking for these basic security vulnerabilities.

Note:
As this issue was reported to CNN by us, CNN rolled out new updates and fix for this vulnerability. CNN app new version (2.3.1) no longer vulnerable to this issue.

No comments: