Saurik关闭Cydia Store功能,发现Cydia帐户Paypal支付功能存在安全漏洞

Saurik消失一阵子后,最近突然又宣布Cydia重大调整,主因负责管理Cydia软体源Nullpixel和Andy Wiik发现到Cydia平台帐户支付功能存在漏洞,并建议已经绑定Paypal用户立即取消 Cydia Store的支付授权,Saurik也决定将此功能关闭。

Google 旅游/航班正式上线,快速机票比价、价格走势、旅游行程规划

 

根据Andy Wiik发现到次安全漏洞,表明没有用户资料遭到泄漏,会导致这个漏洞是因用户登录他们的Cydia帐号后,并将Paypal帐户资讯连结,就会让任何页面能在未经过授权的Cydia Store进行购买,但要修复这个漏洞相当困难,而且要花好几个月时间,为了考量到用户帐号安全,逼不得已与Saurik商讨后先关闭Cydia Store付费功能。

Saurik 也在reddit论坛上针对此次关闭说明

Unless you are logged in and using Cydia while also browsing a repository with untrusted content (which, FWIW, is difficult to not do with Cydia <- I do appreciate this sad fact about the ecosystem: it was never clear to users that they should be careful installing random repositories), this is “not an issue”. As you would only ever be logged in to Cydia in order to actively buy something or download a paid purchase (Cydia, very much on purpose as a security feature of the software–something I took flak for constantly over years as people wanted it to be “easier”–does not cache login tokens when you close the app) and effectively no one is buying anything anymore (for multiple, even numerous!, reasons, with the result that no one is logged on), this issue affects very few users despite being worded in a very vague way to, I would assume purposefully, cause maximal chaos and carnage, leading to questions that go so far as “how do I do this without being jailbroken”. If you are not jailbroken, you definitely should have no concern about this.
In particular, this vulnerability is not a data leak (as some people are wondering, and given the vague complaint is a perfectly valid thing to be thinking: one would presume that I somehow lost access to PayPal authorization tokens allowing someone else to take money from your PayPal account: this categorically is not the issue at hand today), and there is definitely no need to go out of your way to disable tokens if you are not actually using Cydia anymore: it is “only” (in quotes as this is still a serious issue… if this were actually a product still being used by anyone ;P) the ability to force a purchase by a user who is currently logged in to Cydia; there is no concern about the information in your Cydia account that I know of at this time. (A more reasonable and much less confusing mitigation that would have been less confusing would have been to tell people to log out of Cydia if they were currently using it and to not log back in, maybe ever ;P.)
The reality is that I wanted to just shut down the Cydia Store entirely before the end of the year, and was considering moving the timetable up after receiving the report (to this weekend); this service loses me money and is not something I have any passion to maintain: it was a critical component of a healthy ecosystem, and for a while it helped fund a small staff of people to maintain the ecosystem, but it came at great cost to my sanity and led lots of people to irrationally hate me due to what amounted to a purposeful misunderstanding of how profit vs. revenue works. (That said, shutting this down doesn’t actually mitigate the majority of my costs right now, which involve many terabytes of bandwidth per month continuing to be spent on hosting the archived repositories I took on as my responsibility; I am thankfully currently making enough money from my new job to cover these costs.)
However, given the push from Nullpixel and Andy Wiik to do something about it this morning (which isn’t a problem: I think people think I was saying this to shift “blame” to them? I had to say this to explain why I am doing this now, but I was going to do this anyway next week… I don’t even personally believe in “responsible disclosure”, but I do believe in the importance to avoid confusion; the bug was serious, and affected people actively logged in to Cydia: it is stupid of specifically me that I have made such a massive error in the Cydia Store backend), I’ve had to reconsider my timelines; I have thereby gone ahead and shut down the ability to buy things in Cydia, effective immediately. I will put together a more formal post about the arc of Cydia, likely to be published next week.

根据 Saurik 重点说明如下

对于此漏洞,Saurik也表示后续也将会替Cydia进行更新,预计在下周就会推出更新档案,更新也可能会随着unc0ver越狱工具推出,Saurik正与pwn20wnd进行合作中。

不过这不影响第三方软体源的购买插件功能,从这漏洞似乎可以证明,选择信用良好的第三方软体源是相当重要,清单如下

 

现在我们该怎么做?立即取消Cydia帐户连结Paypal功能,可依照底下教学操作

此方法适合有越狱和无越狱用户操作

步骤 1

透过Paypal帐号登入「Paypal我的预先核准付款」页面。

Google 旅游/航班正式上线,快速机票比价、价格走势、旅游行程规划

 

步骤 2

从清单终点击「SaurikIT, LLC」连结,如果都没看见表示你从未使用 Cydia Store 连结Paypal 来购买插件。

Google 旅游/航班正式上线,快速机票比价、价格走势、旅游行程规划

 

步骤 3

状态栏位点选「取消」。

Google 旅游/航班正式上线,快速机票比价、价格走势、旅游行程规划

 

步骤 4

点击「是」,就可以取消 Cydia Store的授权支付。

Google 旅游/航班正式上线,快速机票比价、价格走势、旅游行程规划

 

至于Cydia Store 关闭,背后还有哪些原因导致?可透过这篇『分析Cydia之父宣布商店正式关闭原因?与「越狱已死」无任何关联』来了解。

赞 (0) 打赏

评论 0

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏

取消

我们发现您正在使用 AdBlock Plus 或者其他 ABP 类软件屏蔽了广告。本站没有任何互动、动画、讨厌的声音或弹出广告,我们不做这些讨厌的类型的广告!请把 ddmf.net 加入到你的AdBlock Plus软件白名单,万分感谢!

扫码支持
扫码打赏,你说多少就多少

打开支付宝扫一扫,即可进行扫码打赏哦

Powered by 江南品味,分享从这里开始,精彩与您同在