Color app vulnerable to 'trivial geolocation spoofing'

Summary:With Color's big splash it was inevitable that tinkerers would want to see what makes it tick. A simple new app allows you to look at anyone's Color photos, not just your neighbors.

With the huge splash that Color (App Store, free) made onto the social photo scene, it was inevitable that tinkerers would deconstruct it to see what makes it tick.

Literally hours after it was released security researcher and Veracode CTO Chris Wysopal wrote that Color's authentication was “broken" and vulnerable “trivial geolocation spoofing.”

Wysopal wrote a proof of concept app called Fake Location (which requires a jailbreak, natch) that allows you to set your iPhone location to anywhere you want -- without actually having to be there.

So instead of having to be within 150 feet (say) of another Color user to see their photos, Wysopal's app enables teleporting to a location of your choosing, allowing you to browse photos from afar.

From his couch in New York, Wysopal was able to see Color photos from Harvard, MIT, NYU, and perhaps most shockingly, from Color HQ in Palo Alto where he was able to browse Color CEO Bill Nguyen's personal photos (above).

But it's more of a cheat than a hack (or security breach).

Color is extremely transparent (?) about its privacy, it doesn't offer any. Which is the point, all of the photos you take on Color are visible to all other users within a given distance from you. Period.

It is all public, and we’ve been very clear about that from the very beginning. Within the app, there’s already functionality to look through the entire social graph. Very few people will probably do what you’re saying, but all the pictures, all the comments, all the videos are out there for the public to see. - Color spokesman John Kuch

I still think that Color has a ton of potential, but it feels like it was rushed out the door before it was ready.

Tip: Andy Greenberg, Forbes.com

Topics: Apps, iPhone, Privacy

About

Jason D. O'Grady developed an affinity for Apple computers after using the original Lisa, and this affinity turned into a bona-fide obsession when he got the original 128 KB Macintosh in 1984. He started writing one of the first Web sites about Apple (O'Grady's PowerPage) in 1995 and is considered to be one of the fathers of blogging.... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.