Pinterest, Yammer scramble to patch login thievery headaches
'Everything's fine, we've already fixed it,' claim compromised networks
Pinterest has patched a vulnerability that meant its iPhone app leaked passwords to other surfers on the same network.
An earlier version of the Pinterest iOS app fails to validate the server certificate, potentially allowing a suitably positioned attacker on the same network to steal login credentials related to the photo sharing-focused social networking website. The vulnerability might be exploited in an open Wi-Fi environment to run man-in-the-middle attacks using an invalid cert, according to bug finder Han Sahin of Dutch security firm Securify.
In response, Pinterest acknowledged the problem and said that it had already developed a fix.
The bug was previously brought to our attention and we began working on it immediately. The updated iOS version that fixes the issue hit the App Store earlier this week.
Sahin further warned that the Yammer iOS app suffers from the same problem, exposing users of Microsoft's enterprise social network service to account hijacking in the process. Again, the problem stems from a failure to validate server certificates.
Fortunately Microsoft has already fixed the problem, the firm told El Reg on Wednesday.
We provided a solution to Apple on April 1, 2015, and an update is now available.
Users of Yammer iOS version 18.104.22.1680 and Pinterest for iPhone v4.5 both need to upgrade to skirt potential login token-thieving problems. Users of the web and Android versions of both Yammer and Pinterest were never at risk. ®