Chrome to WP7 has less than ideal security

Chrome to WP7 is a handy app which lets one send links from the desktop to one’s Windows Phone 7 handset using an intermediate server.

The app is by Dave Amenta and the service is provided free of charge.

Martani Fakhrou however has a complaint about the security model of the app, which relies on an obfuscated device ID.

He writes:

While Google Chrome to Phone uses OAuth to authenticate users along with their Google accounts, Send to WP7 generates a 6 chars hex number which is calculated from a random GUID generated when the app is started for the first time. This code is then used by the extension to send data back to daveamenta.com server, waiting to be served when the WP7 client fetches the updates.
Since there is absolutely no validation process on the server and the design of the app that makes it impossible to verify who is sending to who depending only on the randomly generated code, abusing this app is just like taking a walk on the shore.

In short an attacker would just send messages to random IDs on Dave’s server, record the ones that belong to real people and could then spam them all day long.

Of course in reality no real attacker would waste their time searching the over 16777216 different available codes to spam a small subset of already small Windows Phone 7 population who has the app installed, but Martani notes that Google’s Chrome to Phone uses OAuth to authenticate users along with their Google accounts, and suggests Dave might want to tighten up on his security.

Read more at Martani.net here.

Update:  Dave Ameta, the developer of Send to WP7 (Previously Chrome to WP7) has given us a statement denying there is any real security issue.  He notes:

The attack posed here would not have been successful after scanning approximately 250 pair codes, which wouldn’t have exposed a single user.  Furthermore, upon finding out about the suggested attack, I tightened security further to ensure that there is absolutely no information leak, even if someone were to distribute this attack across many computers.  Using pair codes is a feature, to avoid harvesting “account information” like so many apps prefer to do.  I’m confident that this security model is sufficient for this class of application today.

If you are reassured, as we are, Send to WP7 is a great utility which can be found at Dave’s site here.

Comments