CNN’s iOS application has a major vulnerability that threatens to leak user information.
According to a report by information security company Zscaler, the app is the second most popular news app and is ranked number 165 among all free applications.
However, its iReport function, which allows users to upload photos, videos and other content to CNN news reports, has a major security flaw. Passwords for iReport accounts are sent unencrypted in clear text, making them extremely vulnerable to interception.
“Transmissions are sent in clear text (HTTP) and the password is sent unencrypted, along with all other registration/login information,” the Zscaler report said.
“The concern here is that anyone on the same network as the user could easily sniff the victim’s password and access their account. Once obtained, the attacker could access the iReport account of the user and compromise their anonymity.”
The report added that this was of particular concern as it relates to functionality which permits people to anonymously submit news stories to CNN. The flaw occurs both when a user first creates their iReport account and during any subsequent logins.
“End-users must rely on both the app developers and app store gatekeepers to prevent such flaws from being exposed in the first place,” the report added.
“This vulnerability could easily have been caught by Apple during the vetting process that they subject new applications to before including them in the app store, but our research has shown us that Apple and Google simply aren’t looking for these basic security vulnerabilities.”
Fortunately, the security lapse is only present in the iPhone version of the app, with the iPad and Android editions not suffering from the same fault.
CNN has been alerted of the vulnerability and has indicated that it is currently investigating the matter.
