Color app vulnerable to 'trivial geolocation spoofing'

Color app vulnerable to 'trivial geolocation spoofing'

Summary: With Color's big splash it was inevitable that tinkerers would want to see what makes it tick. A simple new app allows you to look at anyone's Color photos, not just your neighbors.

SHARE:
TOPICS: Apps, iPhone, Privacy
8

With the huge splash that Color (App Store, free) made onto the social photo scene, it was inevitable that tinkerers would deconstruct it to see what makes it tick.

Literally hours after it was released security researcher and Veracode CTO Chris Wysopal wrote that Color's authentication was “broken" and vulnerable “trivial geolocation spoofing.”

Wysopal wrote a proof of concept app called Fake Location (which requires a jailbreak, natch) that allows you to set your iPhone location to anywhere you want -- without actually having to be there.

So instead of having to be within 150 feet (say) of another Color user to see their photos, Wysopal's app enables teleporting to a location of your choosing, allowing you to browse photos from afar.

From his couch in New York, Wysopal was able to see Color photos from Harvard, MIT, NYU, and perhaps most shockingly, from Color HQ in Palo Alto where he was able to browse Color CEO Bill Nguyen's personal photos (above).

But it's more of a cheat than a hack (or security breach).

Color is extremely transparent (?) about its privacy, it doesn't offer any. Which is the point, all of the photos you take on Color are visible to all other users within a given distance from you. Period.

It is all public, and we’ve been very clear about that from the very beginning. Within the app, there’s already functionality to look through the entire social graph. Very few people will probably do what you’re saying, but all the pictures, all the comments, all the videos are out there for the public to see. - Color spokesman John Kuch

I still think that Color has a ton of potential, but it feels like it was rushed out the door before it was ready.

Tip: Andy Greenberg, Forbes.com

Topics: Apps, iPhone, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • RE: Color app vulnerable to 'trivial geolocation spoofing'

    I still think that Color has a ton of potential, but it feels like it was rushed out the door before it was ready.



    Like all the major social sites were. Certainly Twitter was.

    An even the spoke person said it was design to operate like that and it has that functuality built in to some level.

    It may not be what you were expecting. I also suspect the Colour will eventually come with a feature that will allow you to to expand the 120 feet, may be for special events, for instant like Glastonbury but I suspect it will become a standard feature.
    Knowles2
  • RE: Color app vulnerable to 'trivial geolocation spoofing'

    What kind of idiot would install this on their phone? i mean wow I know apple users are far from techies but this is a basic stupid thing to do.. They get whatever they get if they put this on their phone.
    Fletchguy
  • I'll happily share photos of my kids with the weird stalker on the train...

    NOT!

    Thanks Color. World's most "open" app. Privacy doesn't even play a part of their plan.
    mattmuir
  • Color me unimpressed

    Social apps that rely on everyone around you having the same app installed seems like a no-go. Other similar ideas have failed for the same reason. Remember Bump, same general idea but for sharing contact info. Got great reviews but nobody used it precisely because it required everyone to have the app installed.<br><br>There is also the social element to it that always seems cooler in the board room than on the street. Reminds me of Zune's squirting feature.
    Tigertank
  • RE: Color app vulnerable to 'trivial geolocation spoofing'

    Not true.
    james347
  • RE: Color app vulnerable to 'trivial geolocation spoofing'

    Message has been deleted.
    james347
  • RE: Color app vulnerable to 'trivial geolocation spoofing'

    To much fanfare they came out and quickly fizzled.

    Is it true they spent $500k on their domain name? You would think they would be able to purchase colorapp.com for so much less
    teddy33
  • RE: Color app vulnerable to 'trivial geolocation spoofing'

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com" title="seslichat">sesli chat</a> <a href="http://www.yuregininsesi.com" title="seslisohbet">sesli sohbet</a>
    birumut