本帖最后由 欧阳宣 于 2015-1-18 18:25 编辑
https://blogs.mcafee.com/mcafee-labs/apps-sending-plain-http-put-personal-data-risk
…………………………
Weibo: social media chat easily sniffed or spoofed Weibo is a Chinese social media platform like Twitter or Facebook. You post your status, chat with your friends, etc. Now suppose you post a message as follows in Weibo: 微博是一个类似脸书和推特的中国社交平台,你可以发表状态,和朋友聊天等等。下面假如你在微博上发了这么一条: You can see what’s being sent to the Weibo backend by capturing the traffic from Wireshark: 用wireshark可以查看被发送到微博后台的数据。 And the cookie is there for an attacker to harvest or even alter your post message via a[size=15.1200008392334px]man-in-the-middle attack. cookies就那么放在那里等人收割,甚至允许中间人攻击来改变你发布的内容。 You may ask Who cares? This is a post on social media and is meant to be public. But what about your private chats with friends? We sent the following message via the chat window: 你可能会说Who TM Cares?社交媒体上发布的东西本来就是公开的。但是你和你朋友的私信聊天呢?我们从私信窗口发送了如下消息。 Again Wireshark shows us exactly the text, without encryption, begging for an attack (such as modifying the chat, injecting malicious links, etc.). There’s no privacy here! Wireshark再一次展示了消息原文是如何在没有任何加密的情况下被传输的,这样为消息修改,注入恶意代码成为了可能。隐私已荡然无存。
Sogou sends device data via plain HTTP [size=15.1200008392334px]Sogou is the most popular Chinese input-method editor, claiming more than 400 million installations. Users benefit from hints to optimized words without having to fully spell them out in Pinyin). (Instead of typing ni hao for “hello”, for example, you type just “nh.”) 搜狗是中国最流行的中文输入法,声称有超过4亿人安装。用户习惯了它带来的对拼音的简化输入。 That’s all we want from a language input editor, and that’s why we installed it on a Windows 7 machine. However, when we connected an iPod via USB to this machine, we saw the following captured on Fiddler: 这也是我们对输入法的唯一需求。我们将其安装在最主流的win7机器上。但是当我们将一个iPod用USB连接到机器上时,我们通过fiddler看到了如下信息。 At first glance the preceding data may not seem like much, but it leads to a question: Why would a language input editor want to know “the user has connected an iOS device (iPod5), it is running on iOS 7.0, the serial number is “650…,” and it is connected via the USB hub “USB#ROOT_HUB20#48…”? 第一眼看上去触发的数据不是很多,但是问题来了:一个输入法为何要知道“用户已接入一个iOS设备,运行iOS7.0,序列号为650***”,以及USB借口的编号? When we connected an Android phone, Fiddler showed a similar data collection: 当我们连接一个安卓手机时,fiddler显示了类似的数据连接。 Collecting device information in these scenarios is not something we expect or appreciate from language-input software. What is scarier is that the plain-HTTP transport invites attacks in the world full of poisoned mobile hotspots.以上案例中的收集设备信息的行为我们是不想在一个输入法上看到的。更可怕的是明文的HTTP传输在这么一个充满被感染的移动热点的世界简直是在求黑求攻陷。
| 
[复制链接]
发表于 2015-1-18 18:21:58
楼主
