

Yet Another Hot Startup Leaves A Gaping Security Hole In Its iPhone App - jwu711
http://techcrunch.com/2010/11/18/yet-another-hot-startup-leaves-a-gaping-security-hole-in-its-iphone-app/

======
dangrossman
Surprise, most sites don't use SSL.

Surprise, the DISQUS login/registration to post a comment on TechCrunch's
article about this "gaping security hole" also sends your password in
plaintext.

~~~
thedz
Just a note that we're working on improving our ssl support.

------
thomaspaine
I don't know why this is so surprising, 99% of the websites and apps I see
don't use SSL for login, even HN doesn't. It's good that this issue is getting
more attention, but to specifically call out Instagram for it makes it seem
like what they're doing isn't the industry norm.

Looking at the TC comments it seems like a lot of people are confused by the
difference between sending your password in cleartext, and storing your
password in cleartext, although I wouldn't be surprised if they're storing
your tumblr and foursquare credentials in the clear.

------
dangrossman
Everyone assumes that this is just a "oh they should add an s to <http://>
issue.

If your iPhone application uses SSL, it becomes subject to US export
restrictions on encryption.

Apple is the vendor of the apps, and is based in the US, so every app is
subject to these regulations. Apple specifically asks if your application uses
encryption when you submit it, and if so, some apps end up having to get U.S.
government review and approval for sale outside the US before they can be
added to the market.

[http://blog.theanimail.com/iphone-encryption-export-
complian...](http://blog.theanimail.com/iphone-encryption-export-compliance-
for-apps)

[http://www.zetetic.net/blog/2009/08/03/mass-market-
encryptio...](http://www.zetetic.net/blog/2009/08/03/mass-market-encryption-
commodity-classification-for-iphone-applications-in-8-easy-steps/)

~~~
rarrrrrr
It's really not that difficult to get certified for export as a mass market
crypto product. We did this for SpiderOak years ago. Took about an hour and I
think a small fee.

Also requires sending the NSA the source code, but we're shipping easily
reversible Python anyway, so hardly a concern.

------
Aqua_Geek
Seriously? Passwords sent in the clear?! Why are simple security measures so
far down on people's list of things to implement when launching a new
product/company?

~~~
mrduncan
Because _most_ users could care less.

Notice that you logged into HN by sending a plaintext password.

Edit: I totally agree with your sentiment though.

------
The_Igor
"...one of the top stories on Hacker News over the weekend. In other words,
the ‘bad guys’ already know about it, but consumers may not."

Never thought of this community as bad guys...

------
tyrmored
Ten bucks says they store the passwords in cleartext too.

~~~
gawker
Why shouldn't they? It makes their password retrieval process so much easier!
;)

------
gawker
Was pretty shocked when I realized that Facebook doesn't use https either.

~~~
woan
Facebook does use SSL for login.

~~~
rythie
Drops back to standard http afterwards though. You can still sidejack it with
firesheep.

~~~
dangrossman
Virtually everything flying around the network is unencrypted. Even if
Facebook turned on SSL for the whole site, if I see you sitting next to me and
can find your e-mail address, I just have to request a password reset and wait
for your mail client to pick up the plain text email with the reset link.
Either encrypt your whole connection or accept that you're _secure enough_
because nobody is really listening.

Kinda like all the TSA articles floating around, you're not safe because
someone's groping everyone before they get on the plane, you're safe because
nobody was trying to get something onto the plane in the first place.

~~~
rythie
Firstly that alerts the person to the breach, because you have to change their
password - which isn't true of a session hijack.

Secondly how are you getting the mail? I haven't been able to access my able
without SSL for years and I lock my screen everytime I leave it + never leave
my phone hanging around.

Thirdly would you even know the email address I used? I use a different one
for each site.

