Categories
ALA Personal

Goodreader & the iPad

EDIT: please check out my new post, with the real problem identified. This post contains old information that is not correct!

Goodreader is by far the best interface and app for handling different filetypes on the iPad…PDFs, doc files, images, etc. But this morning at the ALA Annual conference I discovered one really scary security issue with it. By default, Goodreader doesn’t require authentication or any warning to connect via Bonjour, and it allows you to browse AND DOWNLOAD any files that are so shared. Sitting in the Conference Center lobby, I was able to connect to two different iPads, view and grab files arbitrarilly, and push files TO the iPads as well.

Goodreader Security issue

Goodreader Security hole

This is INCREDIBLY SCARY. In the first 2 minutes, I saw files that had credit card information, passwords, bank account information, and more.

If you are using Goodreader and are connected to any public wifi point, make sure that you have gone into Settings, Other Settings, and make sure that Ask Permission Before Connecting is ON.

By griffey

Jason Griffey is the Director of Strategic Initiatives at NISO, where he works to identify new areas of the information ecosystem where standards expertise is useful and needed. Prior to joining NISO in 2019, Jason ran his own technology consulting company for libraries, has been both an Affiliate at metaLAB and a Fellow and Affiliate at the Berkman Klein Center for Internet & Society at Harvard University, and was an academic librarian in roles ranging from reference and instruction to Head of IT at the University of TN at Chattanooga.

Jason has written extensively on technology and libraries, including multiple books and a series of full-periodical issues on technology topics, most recently AI & Machine Learning in Libraries and Library Spaces and Smart Buildings: Technology, Metrics, and Iterative Design from 2018. His newest book, co-authored with Jeffery Pomerantz, will be published by MIT Press in 2024.

He has spoken internationally on topics such as artificial intelligence & machine learning, the future of technology and libraries, decentralization and the Blockchain, privacy, copyright, and intellectual property. A full list of his publications and presentations can be found on his CV.
He is one of eight winners of the Knight Foundation News Challenge for Libraries for the Measure the Future project (http://measurethefuture.net), an open hardware project designed to provide actionable use metrics for library spaces. He is also the creator and director of The LibraryBox Project (http://librarybox.us), an open source portable digital file distribution system.

Jason can be stalked obsessively online, and spends his free time with his daughter Eliza, reading, obsessing over gadgets, and preparing for the inevitable zombie uprising.

12 replies on “Goodreader & the iPad”

I don't think your analysis is accurate, though the risk may be. GoodReader doesn't maintain a WebDAV server for sharing over Bonjour unless the WiFi-transfer [sic] dialog appears on screen. You have to tap the Wi-Fi icon, and then the server starts up.

If these two people on the same network were running GoodReader, then they had to have this set in this way. It is more likely they were using another piece of software, like Air Sharing HD, which can maintain a persist Bonjour-based WebDAV connection.

However, in checking both GoodReader and Air Sharing HD, I see that neither use port 4242 by default. GoodReader uses port 8080; Air Sharing HD uses port 80 (for nonsecure) and 443 (for SSL/TLS self-signed).

So the two people on the network that you identified are likely using another piece of software that sets the port to 4242, or used that port in the “security through obscurity” model, not knowing that Bonjour was advertising their iPads as servers.

I don't think GoodReader is to blame at all here. It scans for Bonjour-accessible WebDAV and FTP servers on the local network; it doesn't make them available in the way you suggest.

Glenn: Thank you for the follow up! I'm almost certain it was Goodreader natively, in that I contacted the individual in question, and when she followed the instructions I gave, I was no longer able to connect.

I will follow up with her, and get a better idea of what she was using in order to make sure my instructions are accurate.

I'm one of the iPad owners. I wasn't using any other software; I don't even know what bonjour or WebDAV are… All I did was access Goodreader at the convention center via its wifi network. I wasn't required to change any settings on my iPad to do so.

Fascinating. What you're describing is not how GoodReader works, so I'm confused. Also, the “4242” in the display for you and the other person is not the port (sort of a numbered cubbyhole attached to an Internet address) used by GoodReader by default.

After testing this a few times, there's no way that I can see that GoodReader would have been sharing your connection, which is what makes this strange. Have you or griffey contacted the makers of the software to find out why this happened?

I replied above. Port 4242 isn't used by default, so someone must have changed it. Do Jennifer and Sara work for a firm that would have configured GoodReader for them?

I'll agree, this is very strange. I followed up with Jennifer by email, and as it turns out, the file that I accessed wasn't in Goodreader at all. It isn't clear to me at this point what on the iPad was allowing the connectivity between the two ipads…but whatever it is, it appears to be a default setting somewhere, as I was able to recreate this time and time again on shared wifi with different iPads.

I don't have 2 iPads, or I'd do testing here and root out the cause. You're completely right…it's most likely some other program that created the hole…and after some quick Googling, it appears that Quick Office might be the culprit…it uses 4242 as it's port.

Good sleuthing. I'm still unclear what Jennifer and Sarah were doing (perhaps they were running Quick Office, not GoodReader, and confused the names?), but this sounds more likely.

Air Sharing HD has a WebDAV-sharing feature, too, which you can turn on, but it has some security recommendations, too.

I was running Goodreader. As a matter of fact, I could see other folks' iPads, too, just like Jason. I wasn't running Quickoffice since there is no way to run two apps simultaneously.

Leave a Reply

Your email address will not be published. Required fields are marked *