Gowalla Passport Decloak Revisited
We have talked about Gowalla in the past here and here so I won't drag this post on. Essentially this post is an update to say that Gowalla has started to implement measures to further secure passports (profiles). Turns out they just made it only slightly more difficult.
With almost no effort anybody (without authentication) can still gain the users twitter username, hometown, and firends list. A little brute force effort and we can reverse lookup checkins. The script below tries lookups for spots found for whatever the user put for their home town.
It seems like I'm yelling into the void of space when I say this, mbut vendors need to take the security and privacy of their clients data seriously. Even for a free service like Gowalla. Respect your clients by understanding the value their data brings to your business and that the protection of that data means to them. I'm slightly biased because it's our business, but third party security assessments are just part of the development process now. Use them.
There is a video demonstration of the tool over on evilpacket.net
The code works… it's not pretty, but it works. Get the tool here.