Themeit – Trivially Insecure Theme Store for the iPhone

Update 3: After very briefly looking at traffic sent from the browser to Theme It’s server, the password appears to be hashed, but obviously the hash is still easily sniffed.  I’ll have to look into this to determine if the site is still vulnerable via a replay attack.

Update 2: I have been in continued contact with the developers of Theme It, and I am now glad to say that the security vulnerabilities I have documented here no longer exist.  All passwords sent when logging in and updating user account passwords are no longer clear text.  The purpose of this post was to bring security issues that exist up, and ensure that they are fixed.  In the case of passwords being sent in the cleartext, they have been.

Update 1:  I am pleased to announce that this post has had its desired effect.  While the developer(s) was unhappy that this information was posted, he has actually gone back and updated the way the site handles user authentication and the user information collected.  The initial login process is no longer viewable via intercepting network traffic.  Additionally, the appears to no longer be needing a physical address associated with your Themeit account.  There is still an issue that your username and password IS still sent in the cleartext when you are already logged in and are updating your password.  This appears to be the final remaining (obvious) vulnerability still present on the site.

I wanted to write about a web application that I have found to be incredibly insecure.  Similar to the previous vulnerability I wrote about, I got in contact with the application Owner/Lead Fif7y.  However, no action has been taken to fix the issue as it still exists.

For those that do not know, Themeit is a store that has been recently developed for selling iPhone themes.  It’s labeled as being made by Fif7y and sells a wide range of iPhone themes.  However, in order to get an account on the website you have to create a username, password, but also submit a number of personally identifiable information.

When analyzing this, there is no real need for this site to collect your home address.  Since the website uses PayPal as their payment processor, any information needed (address) is sent to them when a purchase is made.  This is done through PayPal, which is secure (although this module has not been part of this analysis, it is going off of quickly looking over the application).

So why does Themeit need our address?  However, this is not the biggest issue.  The big issue is that all information sent to their server is completely in cleartext.

To repeat, themeit in no way encrypts any traffic that is sent to the server.  This can be easily seen by doing a packet capture.

The image below shows the test account that I created for logging into the website.  You can clearly see that the username and password are sent in cleartext (look below the highlighted line in the upper section).

insecure login

Unfortunately, this is not the end of it.  Once logged in, you are able to change your address or any other information associated with your account.  However, if any change is made, all the information sent to the server is also sent in cleartext.  Below is only a snapshot of the packet that was captured, however if you were to capture a packet, you would get all of the information, not just what is shown here.

insecure address information

This is an extremely obvious vulnerability, and does not require a sophisticated attacker to capture any of this information.  This can be caught in a network built on hubs, over unencrypted wireless networks, or if you are in the middle between the user and server.  Again, this does not require a lot of IT knowledge to get another persons username and password.  The simplicity of this attack is what is the scary part.

A simple remediation, which would stop the transmission of information in cleartext, would be to get a server certificate.  This would allow the information to be transmitted over https and not in a cleartext format.

Hopefully this post will get the developers of themeit to take user data security seriously and to fix this glaring hole in their application security.