White hat hack breaks Windows Phone Marketplace security

Video shows how Windows Phone 7 apps can be easily swiped and stripped of DRM protections

Once more, Microsoft finds itself in the unenviable position of having one of its security flaws shared with the world. WPCentral has posted a video made by a "'white hat' developer" that shows how cyber shoplifters can easily swipe and unlock apps from Microsoft's Windows Phone 7 Marketplace. The news yet again raises the question of whether Microsoft is slacking on security.

WPCentral asserts that it shared this security flaw with Microsoft "well before the publication of [the] article" but opted to make public the information to motivate the company to fix the problem, in defense of developers who are seeing their wares stolen.

"While many will condemn us for 'promoting piracy,' we respectfully disagree," said WPCentral. "We have heard many complaints from developers about this weakness for months now and it is their right to know about the flaws in the system."

The vulnerability enables a would-be thief to pull an app from the marketplace, strip it of its DRM constraints, and run it with a push of a button. Alternatively, according to the site, one could simply save the XAP file to a local hard drive.

To WPCentral's credit, it has not shared the application for stealing the Windows Phone 7 wares or the methodology behind accomplishing the feat. Other white hat hackers have been less generous; in recent memory, for example, Google's Tavis Ormandy revealed a critical Windows XP vulnerability. He justified his actions by accusing Microsoft of failing to promise to produce a fix in less than 60 days.

This isn't the first security challenge Microsoft has faced on its mobile platform. In late November, three developers released ChevronWP7, capable of jailbreaking Windows 7 phones and enabling users to sideload apps not approved by Microsoft.

This article, "White hat hack breaks Windows Phone Marketplace security," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies