Yet Another Hot Startup Leaves A Gaping Security Hole In Its iPhone App (opens in new tab)

(techcrunch.com)

27 pointsjwu71115y ago19 comments

19 comments

16 comments · 7 top-level

dangrossman15y ago· 2 in thread

Everyone assumes that this is just a "oh they should add an s to http:// issue.

If your iPhone application uses SSL, it becomes subject to US export restrictions on encryption.

Apple is the vendor of the apps, and is based in the US, so every app is subject to these regulations. Apple specifically asks if your application uses encryption when you submit it, and if so, some apps end up having to get U.S. government review and approval for sale outside the US before they can be added to the market.

http://blog.theanimail.com/iphone-encryption-export-complian...

http://www.zetetic.net/blog/2009/08/03/mass-market-encryptio...

rarrrrrr15y ago

It's really not that difficult to get certified for export as a mass market crypto product. We did this for SpiderOak years ago. Took about an hour and I think a small fee.

Also requires sending the NSA the source code, but we're shipping easily reversible Python anyway, so hardly a concern.

xxpor15y ago

Is the US the only one with such ridiculous restrictions?

Aqua_Geek15y ago· 2 in thread

Seriously? Passwords sent in the clear?! Why are simple security measures so far down on people's list of things to implement when launching a new product/company?

mrduncan15y ago

Because most users could care less.

Notice that you logged into HN by sending a plaintext password.

Edit: I totally agree with your sentiment though.

chc15y ago

Because simple security measures do not sell product.

tyrmored15y ago· 2 in thread

Ten bucks says they store the passwords in cleartext too.

gawker15y ago

Why shouldn't they? It makes their password retrieval process so much easier! ;)

rewind15y ago

I highly doubt it. One has nothing to do with the other.

gawker15y ago· 2 in thread

Was pretty shocked when I realized that Facebook doesn't use https either.

woan15y ago

Facebook does use SSL for login.

rythie15y ago

Drops back to standard http afterwards though. You can still sidejack it with firesheep.

1 more reply

dangrossman15y ago· 1 in thread

Surprise, most sites don't use SSL.

Surprise, the DISQUS login/registration to post a comment on TechCrunch's article about this "gaping security hole" also sends your password in plaintext.

thedz15y ago

Just a note that we're working on improving our ssl support.

thomaspaine15y ago

I don't know why this is so surprising, 99% of the websites and apps I see don't use SSL for login, even HN doesn't. It's good that this issue is getting more attention, but to specifically call out Instagram for it makes it seem like what they're doing isn't the industry norm.

Looking at the TC comments it seems like a lot of people are confused by the difference between sending your password in cleartext, and storing your password in cleartext, although I wouldn't be surprised if they're storing your tumblr and foursquare credentials in the clear.

The_Igor15y ago

"...one of the top stories on Hacker News over the weekend. In other words, the ‘bad guys’ already know about it, but consumers may not."

Never thought of this community as bad guys...

j / k navigate · click thread line to collapse