Color App Vulnerable to “Geo-spoofers”
It has been well documented that if privacy is what you want, the Color app is not for you. Color, of course, is the much talked about new app that allows users to share photos effortlessly with anyone and everyone in their vicinity.
Well, apparently that last part is a bit malleable.
Turns out the perception of one’s location is good enough to fool Color into letting you invade photostreams anywhere, anytime. Within hours of its release, Veracode CTO Chris Wysopal tweeted:
@threatpost with trivial geolocation spoofing the auth model of Color is broken
When he tested it out, he found that he could go anywhere and see anything – much easier than expected. He used a jailbroken iPad and an app called FakeLocation. With this app, he was allowed to bypass the iPad’s GPS and set his location to anywhere in the world.
I’m sure most of you can see where this is going.
When he opened the Color app, bingo! He could now browse all the photos from an area hundreds of miles away. “This only took about five minutes to download the FakeLocation app and try a few locations where I figured there would be early adopters who like trying out the latest apps,” Wysopal told Forbes’ Andy Greenberg. “No hacking involved.”
To prove his success, Wysopal (in New York City) sent Greenberg a screencap of Color CEO Bill Nguyen’s photostream (Palo Alto, California):
Once again, this “cheat” is not ruffling any feathers over at Color headquarters. As a spokesman said to Forbes, they never promised privacy. “It is all public, and we’ve been very clear about that from the very beginning. Within the app, there’s already functionality to look through the entire social graph. Very few people will probably do what you’re saying, but all the pictures, all the comments, all the videos are out there for the public to see.”
And how many Color users, happy to share their photos with any stranger around them, would really care that the stranger lives in another state – or country?