Category: News
Updated: Jul 11, 2014
Updated: Jul 11, 2014
Version: Version 2.30 (Build 4948)
Size: 21.8 MB
Language: English
Vendor: CNN Interactive Group, Inc.
Operating System: iOS
Background
Operating System: iOS
Background
![]() |
iReport account setting |
Vulnerability – Clear Text Passwords
![]() |
iReport Functionality |
Initial Account Registration
[-] Method: POST
Url:http://audience.cnn.com/services/cnn/register.api
Host:audience.cnn.com
User-Agent: CNN/4948 (iPad; iOS 7.1.2; Scale/2.00)
Request Body: nowrap=true&termsOfService=true&displayname=zscaler&password=p%40ssword&privacy=domestic_version&email=zscalertest%40zscaler%2Ecom&kaptcha=3dbgc
Subsequent Login
[-] Method: POST
Url:http://audience.cnn.com/services/cnn/login.api
Host:audience.cnn.com
User-Agent: CNN/4948 (iPad; iOS 7.1.2; Scale/2.00)
Request Body: doSso=false&password=p%40ssword&email=zscalertest%40zscaler%2Ecom&nowrap=true
Server Response:{ , "status":"success"}
As can be seen, both transmissions are sent in clear text (HTTP) and the password (p@ssword) is sent unencrypted, along with all other registration/login information. The concern here is that anyone on the same network as the user could easily sniff the victim's password and access their account. Once obtained, the attacker could access the iReport account of the user and compromise their anonymity. The same credentials could be used to access the user's web based iReport account where any past submissions are also accessible.
ZAP Analysis:
We have tested other CNN mobile apps and found that the Android app does not have this same vulnerability as it uses both SSL encryption for registration/login and SSL certificate pinning. The iReport functionality is not present in the CNN iPad application. The vulnerability was reported to CNN on July 15th. They acknowledged receipt of the report and indicated that they are investigating.
Conclusion
ZAP Analysis:
![]() |
ZAP analysis |
Conclusion
Unfortunately, it isn’t difficult to identify mobile applications that send authentication credentials in clear text. As mentioned, this was easily identified in a few minutes leveraging ZAP. For end users however, such flaws aren’t as evident. In a web application, a user knows immediately when sensitive information is sent in clear text, as they don’t see the familiar lock and key symbol in their browser or HTTPS in the URL bar. Such feedback is not available in a mobile application, despite the fact that it is sending the same content. End users must rely on both the app developers and app store gatekeepers to prevent such flaws from being exposed in the first place. This vulnerability could easily have been caught by Apple during the vetting process that they subject new applications to before including them in the app store, but our research has shown us that Apple and Google simply aren’t looking for these basic security vulnerabilities.
Note:
As this issue was reported to CNN by us, CNN rolled out new updates and fix for this vulnerability. CNN app new version (2.3.1) no longer vulnerable to this issue.
Note:
As this issue was reported to CNN by us, CNN rolled out new updates and fix for this vulnerability. CNN app new version (2.3.1) no longer vulnerable to this issue.