Skip to main content

CNN iPhone app exposing login info of its iReporters unencrypted, according to security researchers

Update: Apple tells us CNN submitted fixes for both their iPhone and iPad apps that are now live on the App Store.

Security researchers at Zscaler claim to have found a security flaw in CNN’s iPhone app that exposes personal login and passwords of its users. The CNN app for iPhone, which includes an iReport feature that allows users to sign-up and submit news stories, is reportedly not using SSL encryption for registration/login and SSL certificate pinning like its Android app counterpart and sending the personal user info to and from the app unencrypted. The report notes that CNN’s iPad app is not subject to the same vulnerability as it currently doesn’t have the iReport feature:

The current CNN for iPhone App (verified on Version 2.30 (Build 4948)) has a key weakness whereby passwords for iReport accounts are sent in clear text (unencrypted). While this is always a problem, it’s especially concerning that this relates to functionality which permits people to anonymously submit news stories to CNN. This occurs both when a user first creates their iReport account and during any subsequent logins.

As can be seen, both transmissions are sent in clear text (HTTP) and the password (p@ssword) is sent unencrypted, along with all other registration/login information. The concern here is that anyone on the same network as the user could easily sniff the victim’s password and access their account. Once obtained, the attacker could access the iReport account of the user and compromise their anonymity. The same credentials could be used to access the user’s web based iReport account where any past submissions are also accessible.

Zscaler said it notified CNN of the security flaw on July 15th and that the company confirmed it’s investigating. The CNN app for iPhone received an update today with “bug fixes” listed in the release notes, but the company is yet to confirm if the update was to address the security flaw detailed by Zscaler.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. Jassi Sikand - 10 years ago

    Does the iPad version have iReport? No, then how could it be subject to the same vulnerability? Being first doesn’t mean being best

Author

Avatar for Jordan Kahn Jordan Kahn

Jordan writes about all things Apple as Senior Editor of 9to5Mac, & contributes to 9to5Google, 9to5Toys, & Electrek.co. He also co-authors 9to5Mac’s Logic Pros series.