The problems with the highly publicized new iOS and Android photo-sharing app Color continue to mount. According to Forbes, the app has an easily exploitable feature that makes it simple for tech-savvy users to view all the photos of anyone who uses the app.
That’s not to say Color is known for its tight privacy settings — in fact, the exact opposite is true. When a user takes a photo with Color, the photo is automatically uploaded to the Color servers. Then — and this is what makes the app so notable — anyone within a set perimeter of where that photo was taken can see that picture, along with the pictures of any other Color user who happens to be snapping off shots in that particular location.
Right now, that perimeter is set to 150 feet. But because of complaints by early adopters that the app is worthless unless used within the vicinity of other Color users, the company says it plans to implement a sliding scale to determine the range in which photo streams can be shared, based on population density.
The Color hack, first noted in a Twitter post by security researcher an Veracode chief technology officer Chris Wysopal last Thursday, can be carried out with “trivial geolocation spoofing.” In other words, you trick the app to think you’re actually somewhere else, and it will display the photos of users in that area.
Wysopal reportedly tried out his location spoof this past weekend using a jailbroken iPad and the (unauthorized) app FakeLocation. Sure enough, it worked exactly as he expected.
“This only took about five minutes to download the FakeLocation app and try a few locations where I figured there would be early adopters who like trying out the latest apps,” Wysopal told Forbes in a email. “No hacking involved.”
Color maintains that all pictures taken using the app are public, anyway, and so the vulnerability in its app is negligible. Still, the whole thing makes us feel a little bit out in the open.