Color susceptible to geolocation spoofing

From ZDNet:

“Literally hours after it was released security researcher and Veracode CTO Chris Wysopal wrote that Color’s authentication was ‘broken’ and vulnerable ‘trivial geolocation spoofing.’

From his couch in New York, Wysopal was able to see Color photos from Harvard, MIT, NYU, and perhaps most shockingly, from Color HQ in Palo Alto where he was able to browse Color CEO Bill Nguyen’s personal photos.”

Excellent.

Color me disappointed

Color is an iPhone app that lets users populate a shared photo album in real time, provided that they’re within 150 feet of each other. It’s a nifty idea, but I suspect two (or more) iPhones running the Posterous app, each pointed to the same account, could do pretty much the same thing. Plus, those users wouldn’t have to be within 150 feet of each other.

For me, that’s the problem. If I’m among 15 or 20 people who are all within 150 feet of each other, we’re pretty much seeing the same thing: a stage, some pool tables, the tasty buffet, each other. I don’t need to reminisce with a gallery of photos from an event that I’m currently attending.

If Color wasn’t restricted by distance, it could work. Imagine the grandparents who can’t attend the graduation monitoring a dynamic photo album of the day’s festivities. Again, there’s nothing stopping people from doing that right now with Posterous, MobileMe Galleries or even Facebook.

Worst of all, there’s nothing to do after installing Color but feel badly about the fact that you aren’t out doing something fun with a bunch of hip, iPhone-wielding shutterbugs. Of course, you could take dumb photos of yourself and look at them.

By yourself.

color iphone app

But there’s already an app for that.

Earlier today, the developers announced two big changes intended for the next update. The first is right in line with my chief complaint: the distance restriction.

“[co-founder and CEO Bill] Nguyen says the app will dynamically calculate the distance required for somebody to be considered ‘nearby.’ Currently, the app searches for anybody within 150 feet of your location. That number will not be a constant any longer: ‘We’re going to start adjusting that range based on the density of cities,’ he says.

For example, cities like Tokyo and New York won’t require a lot of calibration, but Color may determine that your ‘dynamic network’ has a radius of half a mile, especially if you live in a spread-out city or smaller town.”

Excellent. The second change is more puzzling. Specifically, the app won’t run if you aren’t near any other users.

“If you launch the app in the middle of nowhere, you’re essentially going to be locked out. This is designed to prevent you from opening the app and simply having nothing to do or see.”

This will confuse many users into thinking it’s broken. Plus, how does the first user get started?

Bad idea.