The iOS app for news channel CNN has a major vulnerability in a key user functionality.
According to research by Zscaler, the free app is the second most popular news app and ranks at number 165 among all free apps. However, included in its functionality is iReport which allows users to upload photos, video and narrative to contribute to CNN news reports.
This functionality includes the ability to register for an account by providing an email address, username and password. Users can optionally provide a real name and phone number, however the current CNN for iPhone App (verified on Version 2.30) has a weakness whereby passwords for iReport accounts are sent unencrypted in clear text.
“Transmissions are sent in clear text (HTTP) and the password is sent unencrypted, along with all other registration/login information,” it said. “The concern here is that anyone on the same network as the user could easily sniff the victim’s password and access their account. Once obtained, the attacker could access the iReport account of the user and compromise their anonymity. The same credentials could be used to access the user’s web based iReport account where any past submissions are also accessible.”
Zscaler said that while this is always a problem, it’s especially concerning that this relates to functionality which permits people to anonymously submit news stories to CNN. This occurs both when a user first creates their iReport account and during any subsequent logins.
Zscaler said: “End-users must rely on both the app developers and app store gatekeepers to prevent such flaws from being exposed in the first place. This vulnerability could easily have been caught by Apple during the vetting process that they subject new applications to before including them in the app store, but our research has shown us that Apple and Google simply aren’t looking for these basic security vulnerabilities.”
CNN had not responded to a comment request from IT Security Guru at the time of going to press. Zscaler said that it had tested other CNN mobile apps and found that the Android app does not have this same vulnerability, as it uses both SSL encryption for registration/login and SSL certificate pinning. The iReport functionality is not present in the CNN iPad application. The vulnerability was reported to CNN on July 15th. They acknowledged receipt of the report and indicated that they are investigating.