{"id":40610,"date":"2015-01-14T16:07:25","date_gmt":"2015-01-15T00:07:25","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=40610"},"modified":"2025-05-27T22:26:27","modified_gmt":"2025-05-28T05:26:27","slug":"apps-sending-plain-http-put-personal-data-risk","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/","title":{"rendered":"Apps Sending Plain HTTP Put Personal Data at Risk"},"content":{"rendered":"<p>At the AVAR Conference in November 2014, McAfee Labs presented how to exploit a cross-site scripting vulnerability of the Costco and Walgreens apps on Android. We shared with our audience research on other app vulnerabilities because we believe apps (especially mobile apps) will be an increasing attack surface for cybercriminals. Today we\u2019d like to provide an update to this issue concerning <a href=\"https:\/\/www.owasp.org\/index.php\/OWASP_Periodic_Table_of_Vulnerabilities_-_Insufficient_Transport_Layer_Protection\">insufficient transport-layer protection<\/a>.<\/p>\n<p>This topic covers similar ground to the stats McAfee\u00a0called out last year in the <em>McAfee Mobile Security Report:<\/em> \u201cAfter analyzing the behavior and permissions of thousands of Android apps, our research team found that 82% of apps track mobile activities,\u201d the report said. When this type of data collection is sent to the app developer\u2019s server without proper encryption, users\u2019 personal information and enterprise data are at risk.<\/p>\n<h2><strong>Costco app: naked credentials <\/strong><\/h2>\n<p>The Android apps we analyzed in our AVAR paper are also exposed to this vulnerability. When we tested the Costco app with a fake account, the login request was clearly captured in Fiddler because the request was in plain HTTP. What does this mean? Be more cautious if you are shopping online using your phone while connecting to a public wireless network.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou1.png\" rel=\"attachment wp-att-40646\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-40646\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou1.png\" alt=\"sogou1\" width=\"483\" height=\"218\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou1.png 483w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou1-300x135.png 300w\" sizes=\"auto, (max-width: 483px) 100vw, 483px\" \/><\/a><\/p>\n<p>Motivated to discover similar risks in other apps, we tested a few more programs in depth and became very alarmed. This plain HTTP risk is everywhere. Let\u2019s walk through two such apps, Weibo and Sogou.<\/p>\n<p><strong>Weibo: social media chat easily sniffed or spoofed<\/strong><\/p>\n<p><a href=\"http:\/\/www.weibo.com\/\">Weibo<\/a> is a Chinese social media platform like Twitter or Facebook. You post your status, chat with your friends, etc. Now suppose you post a message as follows in Weibo:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou2.png\" rel=\"attachment wp-att-40639\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-40639\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou2.png\" alt=\"sogou2\" width=\"499\" height=\"138\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou2.png 499w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou2-300x82.png 300w\" sizes=\"auto, (max-width: 499px) 100vw, 499px\" \/><\/a><\/p>\n<p>You can see what\u2019s being sent to the Weibo backend by capturing the traffic from Wireshark:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou3.png\" rel=\"attachment wp-att-40640\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-40640\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou3.png\" alt=\"sogou3\" width=\"1114\" height=\"474\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou3.png 1114w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou3-300x127.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou3-1024x435.png 1024w\" sizes=\"auto, (max-width: 1114px) 100vw, 1114px\" \/><\/a><\/p>\n<p>And the cookie is there for an attacker to harvest or even alter your post message via a <a href=\"http:\/\/en.wikipedia.org\/wiki\/Man-in-the-middle_attack\">man-in-the-middle<\/a> attack.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou4.png\" rel=\"attachment wp-att-40638\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-40638\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou4.png\" alt=\"sogou4\" width=\"1107\" height=\"450\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou4.png 1107w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou4-300x121.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou4-1024x416.png 1024w\" sizes=\"auto, (max-width: 1107px) 100vw, 1107px\" \/><\/a><\/p>\n<p>You may ask Who cares? This is a post on social media and is meant to be public. But what about your private chats with friends? We sent the following message via the chat window:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou5.png\" rel=\"attachment wp-att-40641\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-40641\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou5.png\" alt=\"sogou5\" width=\"720\" height=\"378\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou5.png 720w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou5-300x157.png 300w\" sizes=\"auto, (max-width: 720px) 100vw, 720px\" \/><\/a><\/p>\n<p>Again Wireshark shows us exactly the text, without encryption, begging for an attack (such as modifying the chat, injecting malicious links, etc.). There\u2019s no privacy here!<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou6.1.png\" rel=\"attachment wp-att-40642\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-40642\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou6.1.png\" alt=\"sogou6.1\" width=\"1117\" height=\"524\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou6.1.png 1117w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou6.1-300x140.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou6.1-1024x480.png 1024w\" sizes=\"auto, (max-width: 1117px) 100vw, 1117px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou6.2.png\" rel=\"attachment wp-att-40637\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-40637\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou6.2.png\" alt=\"sogou6.2\" width=\"471\" height=\"164\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou6.2.png 471w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou6.2-300x104.png 300w\" sizes=\"auto, (max-width: 471px) 100vw, 471px\" \/><\/a><\/p>\n<h2><strong>Sogou sends device data via plain HTTP<\/strong><\/h2>\n<p><a href=\"http:\/\/www.sogou.com\">Sogou<\/a> is the most popular Chinese input-method editor, claiming more than 400 million installations. Users benefit from hints to optimized words without having to fully spell them out in Pinyin). (Instead of typing <em>ni hao<\/em> for \u201chello\u201d, for example, you type just \u201cnh.\u201d)<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou7.1.png\" rel=\"attachment wp-att-40636\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-40636\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou7.1.png\" alt=\"sogou7.1\" width=\"442\" height=\"64\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou7.1.png 442w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou7.1-300x43.png 300w\" sizes=\"auto, (max-width: 442px) 100vw, 442px\" \/><\/a><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou7.2.png\" rel=\"attachment wp-att-40643\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-40643\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou7.2.png\" alt=\"sogou7.2\" width=\"443\" height=\"62\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou7.2.png 443w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou7.2-300x41.png 300w\" sizes=\"auto, (max-width: 443px) 100vw, 443px\" \/><\/a><\/p>\n<p>That\u2019s all we want from a language input editor, and that\u2019s why we installed it on a Windows 7 machine. However, when we connected an iPod via USB to this machine, we saw the following captured on Fiddler:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou8.1.png\" rel=\"attachment wp-att-40644\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-40644\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou8.1.png\" alt=\"sogou8.1\" width=\"978\" height=\"340\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou8.1.png 978w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou8.1-300x104.png 300w\" sizes=\"auto, (max-width: 978px) 100vw, 978px\" \/><\/a><\/p>\n<p>At first glance the preceding data may not seem like much, but it leads to a question: Why would a language input editor want to know \u201cthe user has connected an iOS device (iPod5), it is running on iOS 7.0, the serial number is \u201c650\u2026,\u201d and it is connected via the USB hub \u201cUSB#ROOT_HUB20#48\u2026\u201d?<\/p>\n<p>When we connected an Android phone, Fiddler showed a similar data collection:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou8.2.png\" rel=\"attachment wp-att-40645\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-40645\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou8.2.png\" alt=\"sogou8.2\" width=\"1001\" height=\"344\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou8.2.png 1001w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou8.2-300x103.png 300w\" sizes=\"auto, (max-width: 1001px) 100vw, 1001px\" \/><\/a><\/p>\n<p>Collecting device information in these scenarios is not something we expect or appreciate from language-input software. What is scarier is that the plain-HTTP transport invites attacks in the world full of poisoned mobile hotspots.<\/p>\n<p>We call for app developers to close loopholes like these in their security development life cycles.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>At the AVAR Conference in November 2014, McAfee Labs presented how to exploit a cross-site scripting vulnerability of the Costco&#8230;<\/p>\n","protected":false},"author":695,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[37,142,214],"coauthors":[4136],"class_list":["post-40610","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-android","tag-tag-identity-theft","tag-mobile-security1"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Apps Sending Plain HTTP Put Personal Data at Risk | McAfee Blog<\/title>\n<meta name=\"description\" content=\"At the AVAR Conference in November 2014, McAfee Labs presented how to exploit a cross-site scripting vulnerability of the Costco and Walgreens apps on\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Apps Sending Plain HTTP Put Personal Data at Risk | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"At the AVAR Conference in November 2014, McAfee Labs presented how to exploit a cross-site scripting vulnerability of the Costco and Walgreens apps on\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2015-01-15T00:07:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-28T05:26:27+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"483\" \/>\n\t<meta property=\"og:image:height\" content=\"218\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Apps Sending Plain HTTP Put Personal Data at Risk\",\"datePublished\":\"2015-01-15T00:07:25+00:00\",\"dateModified\":\"2025-05-28T05:26:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/\"},\"wordCount\":586,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou1.png\",\"keywords\":[\"android\",\"identity theft\",\"mobile security\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/\",\"name\":\"Apps Sending Plain HTTP Put Personal Data at Risk | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou1.png\",\"datePublished\":\"2015-01-15T00:07:25+00:00\",\"dateModified\":\"2025-05-28T05:26:27+00:00\",\"description\":\"At the AVAR Conference in November 2014, McAfee Labs presented how to exploit a cross-site scripting vulnerability of the Costco and Walgreens apps on\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou1.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Apps Sending Plain HTTP Put Personal Data at Risk\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Apps Sending Plain HTTP Put Personal Data at Risk | McAfee Blog","description":"At the AVAR Conference in November 2014, McAfee Labs presented how to exploit a cross-site scripting vulnerability of the Costco and Walgreens apps on","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Apps Sending Plain HTTP Put Personal Data at Risk | McAfee Blog","og_description":"At the AVAR Conference in November 2014, McAfee Labs presented how to exploit a cross-site scripting vulnerability of the Costco and Walgreens apps on","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2015-01-15T00:07:25+00:00","article_modified_time":"2025-05-28T05:26:27+00:00","og_image":[{"width":483,"height":218,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou1.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Apps Sending Plain HTTP Put Personal Data at Risk","datePublished":"2015-01-15T00:07:25+00:00","dateModified":"2025-05-28T05:26:27+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/"},"wordCount":586,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou1.png","keywords":["android","identity theft","mobile security"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/","name":"Apps Sending Plain HTTP Put Personal Data at Risk | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou1.png","datePublished":"2015-01-15T00:07:25+00:00","dateModified":"2025-05-28T05:26:27+00:00","description":"At the AVAR Conference in November 2014, McAfee Labs presented how to exploit a cross-site scripting vulnerability of the Costco and Walgreens apps on","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou1.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/sogou1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apps-sending-plain-http-put-personal-data-risk\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Apps Sending Plain HTTP Put Personal Data at Risk"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/40610","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=40610"}],"version-history":[{"count":3,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/40610\/revisions"}],"predecessor-version":[{"id":214554,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/40610\/revisions\/214554"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=40610"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=40610"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=40610"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=40610"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}