Price : Free
Category : Social Networking
Updated : December 29, 2014
Version : 5.0
Size : 19.41 MB
Language : English
Vendor : Tinychat Co
Operating system : iOS
Tinychat is a group video chat application that allows users to chat online and also create their own chart rooms. Currently, this application is ranked among the top 200 apps in the Social Networking category on the iTunes app store. Tinychat claims 5 million minutes of usage per day, making it one of the largest voice and video chat communities on the Internet today.
A user must submit their email address and password in order to create an account. Alternately, a user can also use their Facebook or Twitter account to login to this application.
Vulnerability - Clear text username/password
|App Login page |
The current Tinychat App (verified on Version 5.0) has a serious information leakage flaw whereby username & password information for the Tinychat user is sent in clear text (unencrypted) to the application server. This vulnerability woud make it possible for an attacker to easily sniff network traffic and compromise the user account.
Below is the sample capture of a Tinychat user login attempt. As seen in the request, the username & password information is sent in clear text.
|Login Capture |
Similarly, when a user attempts to register an account on Tinychat, the following HTTP request is generated. The username, password and email address information of the user passes in clear text as seen in the request below:
|Registration Capture |
An attacker can easily takeover the victim's account by sniffing the vulnerable application's network traffic. This can further lead to more sophisticated attacks and can often lead to the compromise of other applications/services due to password reuse.
|ZAP in action. |
This flaw was identified using Zscaler Application Profiler (ZAP
). ZAP is a free online tool that can be used to analyze mobile applications for vulnerabilities and privacy issues as seen in the above screenshot. We have reached out to Tinychat developers, informing them of this security flaw.
This type of security flaw can be uncovered by simply analyzing the network traffic sent by the application. It is disappointing to see such applications getting uploaded to Apple iTunes store without basic security tests like checking for clear text username/passwords being conducted. This is not the first time
we have seen a popular iOS application with this security flaw, but Apple continues to ignore performing a basic security check as part of their vetting process for adding new applications to the app store.
Credit: Analysis by Lakshmi.