SSL Stories May 10, 2016
SSL Stories July 23, 2014
CNN iPhone app exposing login info of its iReporters unencrypted, according to security researchers
Update: Apple tells us CNN submitted fixes for both their iPhone and iPad apps that are now live on the App Store.
Security researchers at Zscaler claim to have found a security flaw in CNN’s iPhone app that exposes personal login and passwords of its users. The CNN app for iPhone, which includes an iReport feature that allows users to sign-up and submit news stories, is reportedly not using SSL encryption for registration/login and SSL certificate pinning like its Android app counterpart and sending the personal user info to and from the app unencrypted. The report notes that CNN’s iPad app is not subject to the same vulnerability as it currently doesn’t have the iReport feature:
The current CNN for iPhone App (verified on Version 2.30 (Build 4948)) has a key weakness whereby passwords for iReport accounts are sent in clear text (unencrypted). While this is always a problem, it’s especially concerning that this relates to functionality which permits people to anonymously submit news stories to CNN. This occurs both when a user first creates their iReport account and during any subsequent logins.
As can be seen, both transmissions are sent in clear text (HTTP) and the password (p@ssword) is sent unencrypted, along with all other registration/login information. The concern here is that anyone on the same network as the user could easily sniff the victim’s password and access their account. Once obtained, the attacker could access the iReport account of the user and compromise their anonymity. The same credentials could be used to access the user’s web based iReport account where any past submissions are also accessible.
Zscaler said it notified CNN of the security flaw on July 15th and that the company confirmed it’s investigating. The CNN app for iPhone received an update today with “bug fixes” listed in the release notes, but the company is yet to confirm if the update was to address the security flaw detailed by Zscaler.
SSL Stories May 25, 2014
Apple’s SSL certificate that is responsible for verifying and authenticating connections to Apple’s Mac App Store software update servers has expired, causing the Mac App Store to issue errors like those above. Another error notification points to the swscan.apple.com server as being the issue, below.
A quick search shows that this SSL certificate expired yesterday May 24th at midnight.
SSL Stories April 17, 2014
Strange bug has stopped some streaming video apps from playing content
As noted by the BBC, some video apps on iOS have inexplicably stopped working today. Videos simply fail to stream, resulting in error messages like the one shown above. The cause of the issue is still unclear, but the bug is affecting multiple high-profile apps in the UK such as BBC iPlayer and Sky Go. Whether the issue is more widespread is not yet known.
It is unknown whether the bug is an issue with Apple’s software or with the third-party app developers. However, as both independent services have failed on the same day it seems like the problem lies with iOS itself. Setting the date on your iPhone or iPad to the past will make videos play again, which suggests the error may be related to expired digital certificates.
SSL Stories March 19, 2014
Apple pushes ‘Critical Security Update’ notification to remind users to update to OS X 10.9.2 for SSL fix
Although most users have likely installed OS X 10.9.2 by now, after its release late last month, Apple is providing a reminder to those who haven’t.
Laggards like myself who are still running OS X 10.9.1 have begun to see notifications like the one below over the past day, pushing the critical update which included a fix for the well-publicized SSL bug found in both iOS 7 and OS X Mavericks.
SSL Stories February 25, 2014
Update: The bug has been fixed in OS X 10.9.2
Security consultant Aldo Cortesi said in a blog post (via ZDNet) that it took him less than a day to exploit the goto fail bug in OS X to capture all SSL traffic, and that there’s a good chance he isn’t the first to have done so – an implicit suggestion that the vulnerability may already be being used in man-in-the-middle attacks.
I’ve confirmed full transparent interception of HTTPS traffic on both IOS (prior to 7.0.6) and OSX Mavericks. Nearly all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured. This includes:
- App store and software update traffic
- iCloud data, including KeyChain enrollment and updates
- Data from the Calendar and Reminders
- Find My Mac updates
- Traffic for applications that use certificate pinning, like Twitter … expand full story