Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today
Learn More

Zscaler Blog

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Abonnieren
Security Research

Mobile App Wall Of Shame: Tinychat For IPhone

image
VIRAL GANDHI
Februar 20, 2015 - 2 Lesezeit: Min
Einblicke zum Thema Sicherheit

Inhalt

  1. Article
  2. Weitere Blogs

ImageTinychat
 
Price : Free
Category : Social Networking
Updated : December 29, 2014
Version : 5.0
Size : 19.41 MB
Language : English
Vendor : Tinychat Co
Operating system : iOS
 
 
Background:

Tinychat is a group video chat application that allows users to chat online and also create their own chart rooms. Currently, this application is ranked among the top 200 apps in the Social Networking category on the iTunes app store. Tinychat claims 5 million minutes of usage per day, making it one of the largest voice and video chat communities on the Internet today.

A user must submit their email address and password in order to create an account. Alternately, a user can also use their Facebook or Twitter account to login to this application.
 
 
 Vulnerability - Clear text username/password
 
Image
App Login page
The current Tinychat App (verified on Version 5.0) has a serious information leakage flaw whereby username & password information for the Tinychat user is sent in clear text (unencrypted) to the application server. This vulnerability woud make it possible for an attacker to easily sniff network traffic and compromise the user account.
 
 
Below is the sample capture of a Tinychat user login attempt. As seen in the request, the username & password information is sent in clear text.
 
 
 
 
 
 
Login:
Image
Login Capture
 
 
Similarly, when a user attempts to register an account on Tinychat, the following HTTP request is generated. The username, password and email address information of the user passes in clear text as seen in the request below:

Account registration:
 
Image
Registration Capture

An attacker can easily takeover the victim's account by sniffing the vulnerable application's network traffic. This can further lead to more sophisticated attacks and can often lead to the compromise of other applications/services due to password reuse.
 
 
ZAP Analysis:
Image
ZAP in action.
This flaw was identified using Zscaler Application Profiler (ZAP). ZAP is a free online tool that can be used to analyze mobile applications for vulnerabilities and privacy issues as seen in the above screenshot. We have reached out to Tinychat developers, informing them of this security flaw.

Conclusion:

This type of security flaw can be uncovered by simply analyzing the network traffic sent by the application. It is disappointing to see such applications getting uploaded to Apple iTunes store without basic security tests like checking for clear text username/passwords being conducted. This is not the first time we have seen a popular iOS application with this security flaw, but Apple continues to ignore performing a basic security check as part of their vetting process for adding new applications to the app store.

Credit: Analysis by Lakshmi.
form submtited
Danke fürs Lesen

War dieser Beitrag nützlich?

vote yes
Ja, sehr hilfreich!
vote no
Nicht wirklich

Weitere Zscaler-Blogs erkunden

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Blog lesen
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Blog lesen
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Blog lesen
TOITOIN Trojan
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Blog lesen
01 / 02
dots pattern

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Mit dem Absenden des Formulars stimmen Sie unserer Datenschutzrichtlinie zu.