Color app vulnerable to 'trivial geolocation spoofing'

With Color's big splash it was inevitable that tinkerers would want to see what makes it tick. A simple new app allows you to look at anyone's Color photos, not just your neighbors.

With the huge splash that Color (App Store, free) made onto the social photo scene, it was inevitable that tinkerers would deconstruct it to see what makes it tick.

Literally hours after it was released security researcher and Veracode CTO Chris Wysopal wrote that Color's authentication was “broken" and vulnerable “trivial geolocation spoofing.”

Wysopal wrote a proof of concept app called Fake Location (which requires a jailbreak, natch) that allows you to set your iPhone location to anywhere you want -- without actually having to be there.

So instead of having to be within 150 feet (say) of another Color user to see their photos, Wysopal's app enables teleporting to a location of your choosing, allowing you to browse photos from afar.

From his couch in New York, Wysopal was able to see Color photos from Harvard, MIT, NYU, and perhaps most shockingly, from Color HQ in Palo Alto where he was able to browse Color CEO Bill Nguyen's personal photos (above).

But it's more of a cheat than a hack (or security breach).

Color is extremely transparent (?) about its privacy, it doesn't offer any. Which is the point, all of the photos you take on Color are visible to all other users within a given distance from you. Period.

It is all public, and we’ve been very clear about that from the very beginning. Within the app, there’s already functionality to look through the entire social graph. Very few people will probably do what you’re saying, but all the pictures, all the comments, all the videos are out there for the public to see. - Color spokesman John Kuch

I still think that Color has a ton of potential, but it feels like it was rushed out the door before it was ready.

Tip: Andy Greenberg,

Show Comments