Saurik關閉Cydia Store功能，發現Cydia帳戶Paypal支付功能存在安全漏洞

Saurik消失一陣子後，最近突然又宣佈Cydia重大調整，主因負責管理Cydia軟體源Nullpixel和Andy Wiik發現到Cydia平台帳戶支付功能存在漏洞，並建議已經綁定Paypal用戶立即取消 Cydia Store的支付授權，Saurik也決定將此功能關閉。

 

根據Andy Wiik發現到次安全漏洞，表明沒有用戶資料遭到洩漏，會導致這個漏洞是因用戶登錄他們的Cydia帳號後，並將Paypal帳戶資訊連結，就會讓任何頁面能在未經過授權的Cydia Store進行購買，但要修復這個漏洞相當困難，而且要花好幾個月時間，為了考量到用戶帳號安全，逼不得已與Saurik商討後先關閉Cydia Store付費功能。

Saurik 也在reddit論壇上針對此次關閉說明

Unless you are logged in and using Cydia while also browsing a repository with untrusted content (which, FWIW, is difficult to not do with Cydia <- I do appreciate this sad fact about the ecosystem: it was never clear to users that they should be careful installing random repositories), this is “not an issue”. As you would only ever be logged in to Cydia in order to actively buy something or download a paid purchase (Cydia, very much on purpose as a security feature of the software–something I took flak for constantly over years as people wanted it to be “easier”–does not cache login tokens when you close the app) and effectively no one is buying anything anymore (for multiple, even numerous!, reasons, with the result that no one is logged on), this issue affects very few users despite being worded in a very vague way to, I would assume purposefully, cause maximal chaos and carnage, leading to questions that go so far as “how do I do this without being jailbroken”. If you are not jailbroken, you definitely should have no concern about this.
In particular, this vulnerability is not a data leak (as some people are wondering, and given the vague complaint is a perfectly valid thing to be thinking: one would presume that I somehow lost access to PayPal authorization tokens allowing someone else to take money from your PayPal account: this categorically is not the issue at hand today), and there is definitely no need to go out of your way to disable tokens if you are not actually using Cydia anymore: it is “only” (in quotes as this is still a serious issue… if this were actually a product still being used by anyone ;P) the ability to force a purchase by a user who is currently logged in to Cydia; there is no concern about the information in your Cydia account that I know of at this time. (A more reasonable and much less confusing mitigation that would have been less confusing would have been to tell people to log out of Cydia if they were currently using it and to not log back in, maybe ever ;P.)
The reality is that I wanted to just shut down the Cydia Store entirely before the end of the year, and was considering moving the timetable up after receiving the report (to this weekend); this service loses me money and is not something I have any passion to maintain: it was a critical component of a healthy ecosystem, and for a while it helped fund a small staff of people to maintain the ecosystem, but it came at great cost to my sanity and led lots of people to irrationally hate me due to what amounted to a purposeful misunderstanding of how profit vs. revenue works. (That said, shutting this down doesn’t actually mitigate the majority of my costs right now, which involve many terabytes of bandwidth per month continuing to be spent on hosting the archived repositories I took on as my responsibility; I am thankfully currently making enough money from my new job to cover these costs.)
However, given the push from Nullpixel and Andy Wiik to do something about it this morning (which isn’t a problem: I think people think I was saying this to shift “blame” to them? I had to say this to explain why I am doing this now, but I was going to do this anyway next week… I don’t even personally believe in “responsible disclosure”, but I do believe in the importance to avoid confusion; the bug was serious, and affected people actively logged in to Cydia: it is stupid of specifically me that I have made such a massive error in the Cydia Store backend), I’ve had to reconsider my timelines; I have thereby gone ahead and shut down the ability to buy things in Cydia, effective immediately. I will put together a more formal post about the arc of Cydia, likely to be published next week.

根據 Saurik 重點說明如下

• 接受影響大多數都是加入了不受信任內容的軟體源（如盜版源）
• Cydia 目的就是為了讓用戶能有安全購買插件的平台
• 越來越少用戶會選擇透過 Cydia Store 購買插件
• 漏洞並非是因用戶資料被洩漏，最主要是因為 Cydia Store後端的連結Paypal出現漏洞
• 我關閉 Cydia 能夠購買插件的功能，依舊還是可以透過Bigboss軟體源下載插件，即日起立即生效

對於此漏洞，Saurik也表示後續也將會替Cydia進行更新，預計在下週就會推出更新檔案，更新也可能會隨著unc0ver越獄工具推出，Saurik正與pwn20wnd進行合作中。

不過這不影響第三方軟體源的購買插件功能，從這漏洞似乎可以證明，選擇信用良好的第三方軟體源是相當重要，清單如下

• http://repo.packix.com
• https://cydia.hbang.ws
• https://repo.dynastic.co
• http://rpetri.ch/repo
• http://sparkdev.me
• https://poomsmart.github.io/repo
• http://getdelta.co
• https://repo.cpdigitaldarkroom.com
• https://creaturesurvive.github.io
• https://cydia.angelxwind.net
• https://beta.unlimapps.com
• http://apt.alfhaily.me
• http://thecomputerwhisperer.github.io
• http://tateu.net/repo
• https://leftyfl1p.github.io
• http://coolstar.org/publicrepo
• http://cydiageek.yourepo.com
• http://repo.laughingquoll.net
• http://junesiphone.com/supersecret
• https://festival.ml/repo
• https://ib-soft.net/cydia/beta/
• https://cokepokes.github.io
• http://repo.nullpixel.uk
• http://ca13ra1.github.io/repo
• http://toxicappl3inc.github.io/repo
• http://repo.sticktron.net
• http://cydia.rob311.com/repo
• https://mrmadtw.github.io/repo

 

現在我們該怎麼做？立即取消Cydia帳戶連結Paypal功能，可依照底下教學操作

取消Cydia Store綁定Paypal方法

此方法適合有越獄和無越獄用戶操作

步驟 1

透過Paypal帳號登入「Paypal我的預先核准付款」頁面。

 

步驟 2

從清單終點擊「SaurikIT, LLC」連結，如果都沒看見表示你從未使用 Cydia Store 連結Paypal 來購買插件。

 

步驟 3

狀態欄位點選「取消」。

 

步驟 4

點擊「是」，就可以取消 Cydia Store的授權支付。

 

至於Cydia Store 關閉，背後還有哪些原因導致？可透過這篇『分析Cydia之父宣布商店正式關閉原因？與「越獄已死」無任何關聯』來了解。