More and more mobile devices are being released every year with better and higher quality cameras, allowing nearly anyone to share the news faster than a major news corporation can even fathom. Founded in 2014 by Thiel fellow John Meyer, Fresco puts a focus on getting citizen journalism the credit it deserves. Today Fresco announced an Apple TV version of their Fresco News app, which curates the best content of the day, and delivers facts on international events in a fresh way.
iReport Stories January 26, 2016
iReport Stories July 23, 2014
CNN iPhone app exposing login info of its iReporters unencrypted, according to security researchers
Update: Apple tells us CNN submitted fixes for both their iPhone and iPad apps that are now live on the App Store.
Security researchers at Zscaler claim to have found a security flaw in CNN’s iPhone app that exposes personal login and passwords of its users. The CNN app for iPhone, which includes an iReport feature that allows users to sign-up and submit news stories, is reportedly not using SSL encryption for registration/login and SSL certificate pinning like its Android app counterpart and sending the personal user info to and from the app unencrypted. The report notes that CNN’s iPad app is not subject to the same vulnerability as it currently doesn’t have the iReport feature:
The current CNN for iPhone App (verified on Version 2.30 (Build 4948)) has a key weakness whereby passwords for iReport accounts are sent in clear text (unencrypted). While this is always a problem, it’s especially concerning that this relates to functionality which permits people to anonymously submit news stories to CNN. This occurs both when a user first creates their iReport account and during any subsequent logins.
As can be seen, both transmissions are sent in clear text (HTTP) and the password (p@ssword) is sent unencrypted, along with all other registration/login information. The concern here is that anyone on the same network as the user could easily sniff the victim’s password and access their account. Once obtained, the attacker could access the iReport account of the user and compromise their anonymity. The same credentials could be used to access the user’s web based iReport account where any past submissions are also accessible.
Zscaler said it notified CNN of the security flaw on July 15th and that the company confirmed it’s investigating. The CNN app for iPhone received an update today with “bug fixes” listed in the release notes, but the company is yet to confirm if the update was to address the security flaw detailed by Zscaler.