Sunday, August 22, 2010

Foursquare considered harmful - DON'T USE [Updated w/ 4sq's reply]

Update [2010-08-31]: foursquare has released their v1.9.2 update on App Store today which should fix the problem.

Update: I posted this on Aug 21st morning and foursquare replied to my blog post with a statement on their HTTPS authentication system rollout that night, so they're working on fixing the issue right now. That's actually a very awesomely fast response. Looking forward to their next update.

Yet Another Update: It has come to my attention from reader fdqps that Gowalla for iPhone is having the same problem. I've run the same test on Gowalla, and unfortunately, I can confirm they're having the same problem as well. So, stop also using Gowalla until they've rolled out an update for this problem.

One More Update: Gowalla has responded this morning that they're rolling out a client update in the near future that'll fix the security problem. Again, very fast response.

Original blog post below:

If you care to intercept the messages your Foursquare app sends out from your iPhone.. you'll see something very unpleasant.

The above screenshot was taken from Wireshark listening in on a gateway Wifi NIC to my iPhone. Take a good look at the "Authorization: Basic" line in the above screenshot - Foursquare sends my account's username and password in plaintext over HTTP, without any encryption. They send it every time you open that Foursquare app. If anybody has access to any routers between you and foursquare, or foursquare's DNS happens to be hijacked by anybody anywhere up your DNS chain.. or someone is setting up a public wifi intercepting foursquare HTTP requests, and you joined it... you're screwed.

Yes, I said they send it every time.

I wasn't aware of the problem until I saw the Gaming foursquare with 9 lines of Perl article from Slashdot this morning. Plenty of people are trying to shorten that 9 lines of Perl on Slashdot.. but the big problem I noticed from the source code was... Why the hell can I send my login/password in plaintext and login to foursquare, at all?!!

So, in conclusion, don't use foursquare until they fixed their security hole. If it's on your mobile phone, remove it right now. Facebook Places is at least decent enough to do the login part via HTTPS.

Update: I see quite some people on Hacker News are having a hard time believing it. You can reproduce this screen with your own Wireshark and any Wifi access point. I used MacBook Pro's Internet Sharing to do it. Here's how you can reproduce it:

  1. Plug your MBP to wired ethernet - you have one of these in your home, right?
  2. Open an ad-hoc network in your MBP, and share Internet access via that ad-hoc network.
  3. Connect your iPhone to your MBP's ad-hoc network, now it should be able to access the Internet via your MBP.
  4. Install and fire up Wireshark in your MBP - make sure to read the instructions or otherwise it can't capture packets.
  5. Get Wireshark to capture packets on the ad-hoc Wifi interface.
  6. Filter out the HTTP packets going to *.foursquare.com by adding the filter 'http.host contains "foursquare"'
  7. Fire up Foursquare on your iPhone, login if you haven't already
  8. Boom, you've just sent your password in plain text, over the Internet.
Update 2: A commenter, kidsat, on Hacker News found Foursquare for Android is doing the same thing. So if it's on your Android phone, remove it too - wait for them to fix the security bug before you go back to use it