Mobile App Wall Of Shame: Tinychat For IPhone

VIRAL GANDHI

February 20, 2015 - 2 Min. de leitura

Security Insights

Conteúdo

Article
Mais blogs

Tinychat

Price : Free

Category : Social Networking

Updated : December 29, 2014

Version : 5.0

Size : 19.41 MB

Language : English

Vendor : Tinychat Co

Operating system : iOS

Background:

Tinychat is a group video chat application that allows users to chat online and also create their own chart rooms. Currently, this application is ranked among the top 200 apps in the Social Networking category on the iTunes app store. Tinychat claims 5 million minutes of usage per day, making it one of the largest voice and video chat communities on the Internet today.

A user must submit their email address and password in order to create an account. Alternately, a user can also use their Facebook or Twitter account to login to this application.

Vulnerability - Clear text username/password

App Login page

The current Tinychat App (verified on Version 5.0) has a serious information leakage flaw whereby username & password information for the Tinychat user is sent in clear text (unencrypted) to the application server. This vulnerability woud make it possible for an attacker to easily sniff network traffic and compromise the user account.

Below is the sample capture of a Tinychat user login attempt. As seen in the request, the username & password information is sent in clear text.

Login:

Similarly, when a user attempts to register an account on Tinychat, the following HTTP request is generated. The username, password and email address information of the user passes in clear text as seen in the request below:

Account registration:

Registration Capture

An attacker can easily takeover the victim's account by sniffing the vulnerable application's network traffic. This can further lead to more sophisticated attacks and can often lead to the compromise of other applications/services due to password reuse.

ZAP Analysis:

ZAP in action.

This flaw was identified using Zscaler Application Profiler (ZAP). ZAP is a free online tool that can be used to analyze mobile applications for vulnerabilities and privacy issues as seen in the above screenshot. We have reached out to Tinychat developers, informing them of this security flaw.

Conclusion:

This type of security flaw can be uncovered by simply analyzing the network traffic sent by the application. It is disappointing to see such applications getting uploaded to Apple iTunes store without basic security tests like checking for clear text username/passwords being conducted. This is not the first time we have seen a popular iOS application with this security flaw, but Apple continues to ignore performing a basic security check as part of their vetting process for adding new applications to the app store.

Credit: Analysis by Lakshmi.

Obrigado por ler

Esta postagem foi útil?？

Sim, muito útil!

Na verdade, não

Aviso legal: este post no blog foi criado pela Zscaler apenas para fins informativos e é fornecido "no estado em que se encontra", sem quaisquer garantias de exatidão, integridade ou confiabilidade. A Zscaler não se responsabiliza por quaisquer erros, omissões ou por quaisquer ações tomadas com base nas informações fornecidas. Quaisquer sites ou recursos de terceiros vinculados neste post são fornecidos apenas para sua conveniência, e a Zscaler não se responsabiliza por seu conteúdo ou práticas. Todo o conteúdo está sujeito a alterações sem aviso prévio. Ao acessar este blog, você concorda com estes termos e reconhece que é de sua exclusiva responsabilidade verificar e utilizar as informações conforme apropriado para suas necessidades.