| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 12 Jun 2011 12:22:31 -0600 From: <ctruncer@...istophertruncer.com> To: <full-disclosure@...ts.grok.org.uk> Subject: Jailbroken "Theme It" store sends username, pass, etc. cleartext This would be my first write up based off an obvious security hole. Go easy on me. In a nutshell, Theme It has emerged as a store for where jailbroken iPhone users can go to purchase themes for their iPhone. Unfortunately, the Theme It team has not decided to implement server certificates or any sort of mechanism to encrypt data sent from the iPhone to their servers, or through their web interface. I've attempted to contact them multiple times and they have not responded, except for the first message saying that the reason for their lack of security was because they "are not a bank". Theme It's iPhone application sends username, password, UDID, iPhone version, and iOS version in cleartext. While their web interface does attempt to obfuscate a user's login credentials, it is vulnerable to a replay attack. Full writeup located here - http://bit.ly/j7F3sK Chris _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists