BreachExchange mailing list archives
Etsy for iPhone loophole allows attacker to hijack Accounts
From: Erica Absetz <eabsetz () opensecurityfoundation org>
Date: Sat, 15 Dec 2012 14:49:44 -0500
http://thehackernews.com/2012/12/etsy-for-iphone-loophole-allows.html Mohamed Ramadan from Attack-Secure discovered a critical vulnerability in Etsy's iPhone application. Etsy is a social commerce website focused on handmade or vintage items as well as art and craft supplies. Any attacker on the same network can sniff traffic (including user password) invisibly without any warning from Etsy app. Its is very similar to the man in the middle attack reported in iPhone Instagram app a few days back. Because Etsy having a Security Bug Bounty Program , so first Mohamed was trying to find a vulnerability in Etsy website , later he found that they have enough good security. Because Etsy mobile apps are eligible in bug bounty program, so next try was on Mobile apps. Mohamed finally downloaded the latest version 2.2 and installed that on his iPhone 4S with iOS 6 and also on his ipad. Then he configured his Burp Suite proxy 1.5 to listen on all interfaces on port 8080 in invisible mode. He disabled any firewall and configured his iPhone to use manual proxy. He logged in his Etsy account from iPhone and Burp Suite proxy captured the requests with respective username & password , which was actually sent in clear text. Mohamed already reported the issue to Etsy Security Team and they confirmed it. Because the findings are eligible to bug bounty, finally he was rewarded with 750 USD. He name also listed on Etsy as Whitehat hackers. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- Etsy for iPhone loophole allows attacker to hijack Accounts Erica Absetz (Dec 15)