Etsy for iPhone loophole allows attacker to hijack Accounts
Dec 15, 2012
Mohamed Ramadan from Attack-Secure discovered a critical vulnerability in Etsy's iPhone application. Etsy is a social commerce website focused on handmade or vintage items as well as art and craft supplies. Any attacker on the same network can sniff traffic (including user password) invisibly without any warning from Etsy app. Its is very similar to the man in the middle attack reported in iPhone Instagram app a few days back. Bug Hunting ! Because Etsy having a Security Bug Bounty Program , so first Mohamed was trying to find a vulnerability in Etsy website , later he found that they have enough good security. Because Etsy mobile apps are eligible in bug bounty program, so next try was on Mobile apps. Mohamed finally downloaded the latest version 2.2 and installed that on his iPhone 4S with iOS 6 and also on his ipad. Then he configured his Burp Suite proxy 1.5 to listen on all interfaces on port 8080 in invisible mode....
