The Hacker News Logo
Subscribe to Newsletter

Etsy for iPhone loophole allows attacker to hijack Accounts

Mohamed Ramadan from Attack-Secure discovered a critical vulnerability in Etsy's iPhone application. Etsy is a social commerce website focused on handmade or vintage items as well as art and craft supplies.

Any attacker on the same network can sniff traffic (including user password) invisibly without any warning from Etsy app. Its is very similar to the man in the middle attack reported in iPhone Instagram app a few days back.


Bug Hunting !
Because Etsy having a Security Bug Bounty Program , so first Mohamed was trying to find a vulnerability in Etsy website , later he found that they have enough good security. Because Etsy mobile apps are eligible in bug bounty program, so next try was on Mobile apps.

Mohamed finally downloaded the latest version 2.2 and installed that on his iPhone 4S with iOS 6 and also on his ipad. Then he configured his Burp Suite proxy 1.5 to listen on all interfaces on port 8080 in invisible mode. He disabled any firewall and configured his iPhone to use manual proxy.

He logged in his Etsy account from iPhone and Burp Suite proxy captured the requests with respective username & password , which was actually sent in clear text.

Mohamed already reported the issue to Etsy Security Team and they confirmed it. Because the findings are  eligible to bug bounty, finally he was rewarded with 750 USD. He name also listed on Etsy as Whitehat hackers.

Readers can download Video of Demonstration here.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.