The IntoNow app is like Shazam meets TV meets Foursquare. Launched two months ago to much press coverage, the app identifies audio of TV programs you watch to check-in or “tag” a show. This tells other users what you are watching. You can also see who else has tagged shows and connect with “friends” in the app, but you don’t have to be a friend to see someone’s profile and the shows they tagged.
The issue in this case was in the data that IntoNow servers sent to the app during routine use. When viewing a show page, a profile page or a list of friends in the app, you could see each person’s first name, last name and picture. IntoNow’s servers sent the data via the Internet as you browsed the app.
However, the feed also included the e-mail address for virtually every person shown on the screen. The e-mail addresses were not visible on the iPhone screen, but they were accessible to anyone who knows how to monitor traffic sent over a wi-fi connection between their own iPhone and the Internet as is done for debugging and testing apps.
Accessing user e-mail addresses required the following steps:
- Install the IntoNow app and create a user account.
- Use proxy software on a computer in your home network to monitor traffic between your iPhone and the Internet.
- Point the iPhone wi-fi connection to the proxy computer.
- Start the IntoNow app.
- View a show page or a profile page of any user in the app.
At this point, you would have the e-mail address for virtually any user you viewed. That’s because until yesterday IntoNow’s feed included the user name for each person, which happens to also be the user’s e-mail address.
IntoNow says this was an unintentional leftover from development. They started with having users choose their own usernames, but switched along the way to using e-mail addresses. Including a simple username in the feed would probably be fine, but it became a privacy issue when e-mail addresses were left in the feed as usernames.
I found the flaw over the weekend by monitoring traffic on my home network while using the IntoNow app. I use the Charles proxy tool for troubleshooting and analyzing. This is something regular users would never do, but odds are that hackers and spammers as well as people knowledgeable about iOS and Web development might.
My first step was to send an e-mail in the pre-dawn hours Monday to IntoNow’s PR person so I could get in touch with their team and give them a chance to fix the problem before I posted this. CEO Adam Cahan got back to me quickly. I provided details showing how user e-mail addresses were exposed in the data feed. They explained their commitment to the importance of privacy protection and expressed appreciation for bringing the problem to their attention. Their team was able to remove the usernames/e-mail addresses from the feeds by late last night. Basically, the e-mail addresses were like spare parts in the feed and the app wasn’t using them anyway.
The flaw was in the feed from IntoNow’s servers, so the fix took effect immediately with no update of the app itself needed. Users do not have to take any additional action.
IntoNow points out their feeds use SSL encryption. That protects data between your device and the destination server from being intercepted in transmission, but does not offer protection to keep your data out of a feed sent to an authorized user.
As far as I can see, there is no way to know whether anyone might have already harvested e-mail addresses from the IntoNow feed before the fix went into place. This is because the addresses were included with the routine feed data and no hacking or intrusion was needed to view them. Harvesting them or harming people with the information would violate IntoNow’s Terms of Service agreement, but criminals by definition are already breaking the law.
Personally, I gave up on most privacy long ago when I was an investigative news producer and saw how much data is available on everyone. However, as IntoNow acknowledges, privacy is a very serious issue.
What could you do with someone’s e-mail address, name, picture, friend list and TV viewing information? Hypothetical situations from least to most extreme include:
- Spammers could send you e-mails
- Hackers could gather e-mail addresses, pose as friends and send phishing e-mails inviting you to a fake sweepstakes about a show you watched
- If someone registered an e-mail address with a domain they own, you could discover the person’s personal Web site URL or domain for a moonlighting business
- Cyberstalkers could e-mail people they do or don’t know in real life, including all the in-app friends of a particular person
- Stalkers could find the e-mail address of an estranged lover.
- Predators could see the e-mail address of everyone who tagged iCarly and send e-mails to people who look underage in their profile pictures
- Stalkers could target .edu e-mail addresses, find the person’s school, use the name and approximate age based on the profile picture to locate a physical address through other means, and know when the person is likely to be home at night watching a favorite show
Sound crazy? It always does until it becomes a headline. These kinds of scenarios keep privacy advocates up at night, so all developers have to consider the possibilities. Again, these are hypothetical and I know of no harm suffered by anyone from IntoNow user e-mail addresses being accessible.
TripAdvisor learned the hard way last week what a headache the exposure of e-mail addresses can be. The company alerted users that its e-mail system had been hacked and some e-mail addresses were stolen. It’s a good example of how some hackers specifically seek out this kind of user data.
- Due to privacy concerns and system complexity, social media applications have to be very careful about the amount of information shared publicly.
- All software is theoretical until it launches. After launch, it’s a good idea to dig in and see if it’s really working under the hood as expected. It doesn’t always turn out the way it worked in staging and can change with every release.
- Beware changing how a data point is used. It can lead to unintended consequences. This is especially true when so many sites have APIs talking back and forth with each other. Sometimes you’re better off just making a new data field than reusing one.
- Think like a bad guy. Or an auditor. What is the most nefarious use anyone can think of for your service or data? Someone else has probably thought of it and may have done it already.
- Media companies need to conduct due diligence on partner products and always have an indemnification clause in contracts. There are a lot of companies moving very quickly in iTV and social media. It took years for Web sites and even social media services such as Facebook to get where they are today with security and privacy control options. The mobile app world is still very new.