Path - Privacy & Security Problems


I'm trying out the new Android app for Path - the new social networking service. I've discovered something rather troubling...

Most of the app's communication with the Path servers is over SSL. This means that no-one can see the data you're sending and receiving. If there are snoops on your network, they will only be able to see the encrypted data flowing back and forth. In general, this is a good thing.

Apart from images. If your friends are posting images, they are sent over http. No security. Anyone monitoring your network connection will be able to see all the images you're viewing.

Now, that's bad enough - but it turns out that all the images you send are visible to the the world even if you've set your post to private.

The images are sent over SSL, but as soon as you return to your "Path", a thumbnail is shown of what you've just posted!

Here's a picture of the logs, so you can see what's happening.

path ssl

So, every image you post or see - including the avatars of your friends - are visible to all. A rather serious security and privacy problem.

Oh, does anyone know what the unencrypted call to "sendgrid.net" is all about?

2 thoughts on “Path - Privacy & Security Problems

  1. How do you snoop traffic on your Android? I'm guess you can make Ubuntu behave as an AP and tcpdump traffic, but I'm not sure how you get a UI like that. Firesheep?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.