Skip to main content

SSL

See All Stories
Site default logo image

CNN iPhone app exposing login info of its iReporters unencrypted, according to security researchers

Update: Apple tells us CNN submitted fixes for both their iPhone and iPad apps that are now live on the App Store.

Security researchers at Zscaler claim to have found a security flaw in CNN’s iPhone app that exposes personal login and passwords of its users. The CNN app for iPhone, which includes an iReport feature that allows users to sign-up and submit news stories, is reportedly not using SSL encryption for registration/login and SSL certificate pinning like its Android app counterpart and sending the personal user info to and from the app unencrypted. The report notes that CNN’s iPad app is not subject to the same vulnerability as it currently doesn’t have the iReport feature:

The current CNN for iPhone App (verified on Version 2.30 (Build 4948)) has a key weakness whereby passwords for iReport accounts are sent in clear text (unencrypted). While this is always a problem, it’s especially concerning that this relates to functionality which permits people to anonymously submit news stories to CNN. This occurs both when a user first creates their iReport account and during any subsequent logins.

As can be seen, both transmissions are sent in clear text (HTTP) and the password (p@ssword) is sent unencrypted, along with all other registration/login information. The concern here is that anyone on the same network as the user could easily sniff the victim’s password and access their account. Once obtained, the attacker could access the iReport account of the user and compromise their anonymity. The same credentials could be used to access the user’s web based iReport account where any past submissions are also accessible.

Zscaler said it notified CNN of the security flaw on July 15th and that the company confirmed it’s investigating. The CNN app for iPhone received an update today with “bug fixes” listed in the release notes, but the company is yet to confirm if the update was to address the security flaw detailed by Zscaler.

Mac OS X software update temporarily broken, likely due to expired SSL certificate

Site default logo image

Apple’s SSL certificate that is responsible for verifying and authenticating connections to Apple’s Mac App Store software update servers has expired, causing the Mac App Store to issue errors like those above. Another error notification points to the swscan.apple.com server as being the issue, below.

 

A quick search shows that this SSL certificate expired yesterday May 24th at midnight.



Expand
Expanding
Close

Site default logo image

Strange bug has stopped some streaming video apps from playing content

As noted by the BBC, some video apps on iOS have inexplicably stopped working today. Videos simply fail to stream, resulting in error messages like the one shown above. The cause of the issue is still unclear, but the bug is affecting multiple high-profile apps in the UK such as BBC iPlayer and Sky Go. Whether the issue is more widespread is not yet known.

It is unknown whether the bug is an issue with Apple’s software or with the third-party app developers. However, as both independent services have failed on the same day it seems like the problem lies with iOS itself. Setting the date on your iPhone or iPad to the past will make videos play again, which suggests the error may be related to expired digital certificates.


Expand
Expanding
Close

Site default logo image

Apple pushes ‘Critical Security Update’ notification to remind users to update to OS X 10.9.2 for SSL fix

Although most users have likely installed OS X 10.9.2 by now, after its release late last month, Apple is providing a reminder to those who haven’t.

Laggards like myself who are still running OS X 10.9.1 have begun to see notifications like the one below over the past day, pushing the critical update which included a fix for the well-publicized SSL bug found in both iOS 7 and OS X Mavericks.


Expand
Expanding
Close

Security consultant takes less than a day to exploit OS X bug to capture all SSL traffic

Site default logo image

Update: The bug has been fixed in OS X 10.9.2

Security consultant Aldo Cortesi said in a blog post (via ZDNet) that it took him less than a day to exploit the goto fail bug in OS X to capture all SSL traffic, and that there’s a good chance he isn’t the first to have done so – an implicit suggestion that the vulnerability may already be being used in man-in-the-middle attacks.

I’ve confirmed full transparent interception of HTTPS traffic on both IOS (prior to 7.0.6) and OSX Mavericks. Nearly all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured. This includes:

  • App store and software update traffic
  • iCloud data, including KeyChain enrollment and updates
  • Data from the Calendar and Reminders
  • Find My Mac updates
  • Traffic for applications that use certificate pinning, like Twitter … 
    Expand
    Expanding
    Close

Apple patched a major SSL bug in iOS yesterday, but OS X is still at risk

Site default logo image

Update: Apple says an OS X fix is coming soon.

Yesterday Apple released iOS update 7.0.6 alongside new builds for iOS 6 and Apple TV  that it said provided “a fix for SSL connection verification.” While Apple didn’t provide much specific information on the bug, it wasn’t long before the answer was at the top of Hacker News. It turns out that minor security fix was actually a major flaw that could in theory allow attackers to intercept communications between affected browsers and just about any SSL-protected site. Not only that, but the bug is also present in current builds of OS X that Apple has yet to release a security patch for.

Researchers from CrowdStrike described the bug in a report:

“To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake. This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system),”

Adam Langley, a senior software engineer at Google, also wrote about the flaw on his blog ImperialViolet and created a test site to check if you have the bug (pictured above):
Expand
Expanding
Close

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications