quizup

QuizUp, which has been one of the top-selling iOS apps for the past week or so, is full of “shocking” security holes, claims Kyle Richter, the developer behind the popular competing (so..) trivia game Trivium in a blog post.

What I found was at first surprising; then shocking […]

They actually send you other users’ personal information via plain-text(un-hashed); right to your iPhone or iPod touch. This information includes but isn’t limited to: full names, Facebook IDs, email addresses, pictures, genders, birthdays, and even location data for where the user currently is.

I have been able to access the personal information of hundreds of people who I have never met, and had no interaction with other than we both used QuizUp. These people likewise had access to my personal information. It is important to keep in mind these were not people who added me as friends inside of the app, these were complete strangers in every sense … 

As TechCrunch notes, sending unencrypted sensitive data in a way that is vulnerable to interception is exactly what got Path intro trouble, resulting in an $800,000 settlement with the FTC.

Richter declined to go into detail about the exploit he used, but has passed full details to QuizUp developers Plain Vanilla. Plain Vanilla CEO Thor Fridriksson claims there are inaccuracies in the blog claims, though admitted in a statement to TechCrunch that there are weaknesses.

Due to a bug in our third-party network library this encryption could be weakened on some occasions. This issue has been addressed in an update waiting review at Apple. User’s passwords are hashed before we store them in our databases. The user’s Facebook access token is never stored in plain text on the client.

Our user’s address books are not stored on our servers and only used temporarily to help us find your friends. It was a mistake to not hash the contents of the address book before sending to our servers and we are currently changing the client application so it hashes the address book contents before sending to our servers.

The key issues appear to be that although SSL is used to transmit the data, both contact data and Facebook access token were transmitted in plain text and could be easily intercepted.

As of the time of writing, Plain Vanilla says that the server fix has already been made and that a revised version of the app is awaiting approval by Apple.