Mohamed Ramadan from Attack-Secure discovered a critical vulnerability in Etsy's iPhone application. Etsy is a social commerce website focused on handmade or vintage items as well as art and craft supplies.

Any attacker on the same network can sniff traffic (including user password) invisibly without any warning from Etsy app. Its is very similar to the man in the middle attack reported in iPhone Instagram app a few days back.

The Hacker News

Bug Hunting !
Because Etsy having a Security Bug Bounty Program , so first Mohamed was trying to find a vulnerability in Etsy website , later he found that they have enough good security. Because Etsy mobile apps are eligible in bug bounty program, so next try was on Mobile apps.

Mohamed finally downloaded the latest version 2.2 and installed that on his iPhone 4S with iOS 6 and also on his ipad. Then he configured his Burp Suite proxy 1.5 to listen on all interfaces on port 8080 in invisible mode. He disabled any firewall and configured his iPhone to use manual proxy.
The Hacker News

He logged in his Etsy account from iPhone and Burp Suite proxy captured the requests with respective username & password , which was actually sent in clear text.

Mohamed already reported the issue to Etsy Security Team and they confirmed it. Because the findings are eligible to bug bounty, finally he was rewarded with 750 USD. He name also listed on Etsy as Whitehat hackers.

Readers can download Video of Demonstration here.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.