Author Topic: [Alert] SkateSpots app by Terrier  (Read 332 times)

0 Members and 1 Guest are viewing this topic.

tkp

  • SLAP Pal
  • ******
  • Posts: 1634
  • Rep: 105
    • $w@rm
[Alert] SkateSpots app by Terrier
« on: July 07, 2018, 10:05:34 AM »
Hey everyone, on May 7th I discovered a security flaw in this app ( https://itunes.apple.com/us/app/skatespots/id438292992 ) that was leaking private user data. I immediately reached out to the developer with detailed information on what I discovered, how I did it, and what page had the security flaw.

They responded on May 8th saying they were working on a new version of the app. I then suggested they remove the page leaking data and contact their users to let them know about the issue, which never happened (I am a user of the app).

60 days is typically regarded as a responsible time frame to give a developer before going public with discoveries like this. That day is today, hence this post being made.

==
Who is at risk?

I have only tested this with the iPhone version of the app, but if there is an Android version I am sure the flaw still exists.

If you have posted a spot in the app or commented on a post: your user id, username, password, email address, and facebook id are all being transmitted in plain text through the app and can easily be viewed.

I know skaters all over the world have contributed to this app with good intentions of sharing spots. Unfortunately people tend to use the same passwords for email, social media, and banking, which is why this discovery is concerning.

The app was released in 2012 so this issue could have existed since then.




« Last Edit: July 07, 2018, 10:10:01 AM by tkp »