BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Etsy for iPhone loophole allows attacker to hijack Accounts

From: Erica Absetz <eabsetz () opensecurityfoundation org>
Date: Sat, 15 Dec 2012 14:49:44 -0500
http://thehackernews.com/2012/12/etsy-for-iphone-loophole-allows.html

Mohamed Ramadan from Attack-Secure discovered a critical vulnerability
in Etsy's iPhone application. Etsy is a social commerce website
focused on handmade or vintage items as well as art and craft
supplies.

Any attacker on the same network can sniff traffic (including user
password) invisibly without any warning from Etsy app. Its is very
similar to the man in the middle attack reported in iPhone Instagram
app a few days back.

Because Etsy having a Security Bug Bounty Program , so first Mohamed
was trying to find a vulnerability in Etsy website , later he found
that they have enough good security. Because Etsy mobile apps are
eligible in bug bounty program, so next try was on Mobile apps.

Mohamed finally downloaded the latest version 2.2 and installed that
on his iPhone 4S with iOS 6 and also on his ipad. Then he configured
his Burp Suite proxy 1.5 to listen on all interfaces on port 8080 in
invisible mode. He disabled any firewall and configured his iPhone to
use manual proxy.

He logged in his Etsy account from iPhone and Burp Suite proxy
captured the requests with respective username & password , which was
actually sent in clear text.

Mohamed already reported the issue to Etsy Security Team and they
confirmed it. Because the findings are  eligible to bug bounty,
finally he was rewarded with 750 USD. He name also listed on Etsy as
Whitehat hackers.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.
Previous By Date Next
Previous By Thread Next

Current thread: