Due to a lack of encryption in communication with the associated web services, the Seeking Alpha mobile application for Android and iPhone leaks personally identifiable and confidential information, including the username and password to the associated account, lists of user-selected stock ticker symbols and associated positions, and HTTP cookies.
Seeking Alpha provides individuals with the ability to track and quantify their stock portfolio holdings. The vendor’s website states “Seeking Alpha is a platform for investment research, with broad coverage of stocks, asset classes, ETFs and investment strategy. In contrast to other equity research platforms, insight is provided by investors and industry experts rather than sell-side analysts.”
An attacker in a privileged position on the target's network can intercept, view, and modify communications between the Seeking Alpha mobile application and its associated web services trivially, due to the reliance on HTTP cleartext communications, rather than HTTPS. HTTP is used for routine polling for stock ticker symbols the user has configured, which may reveal overly personal financial information about the user that could be used in a targeted attack.
In addition, HTTP is used for the authentication sequence. The user's full e-mail address, password, and HTTP session tokens are transmitted in the clear, as are less critical elements such as the fingerprintable User-Agent (which reveals build and platform information).
In this sample, a user login information (username, password) may be obtained using a simple packet capture:
Mobile device characteristics can also be retrieved (Android OS version and Android Device Token are present):
Furthermore, persistent session information (the user ID, email address and the session token aka “user_remember_token”) is clearly visible:
Stock ticker symbols are also included (either when added, or when receiving portfolio holdings, which may include positions per symbol if the user has entered those):
Curiously, HTTPS requests to https://seekingalpha.com using a normal browser on a traditional PC or laptop are also redirected to HTTP services, rather than the reverse. This includes the authentication sequence. This observation seems to indicate that the preference for HTTP over HTTPS appears to permeate through the engineering practices at Seeking Alpha.
Until Seeking Alpha provides a fix for the mobile application, users are strongly advised to not use the application while connected to untrusted networks. The use of a VPN will also help alleviate the most likely risk of a nearby eavesdropper on a public network, but note that this would protect communication only as far as the VPN endpoint.
This vulnerability is being disclosed in accordance with Rapid7's disclosure policy.
- Tue, May 03, 2016: Initial contact to email@example.com and other aliases.
- Wed, May 19, 2016: Confidential disclosure to CERT (VR-142).
- Wed, Jul 13, 2016: Public disclosure (planned).