Goodreader & the iPad

EDIT: please check out my new post, with the real problem identified. This post contains old information that is not correct!

Goodreader is by far the best interface and app for handling different filetypes on the iPad…PDFs, doc files, images, etc. But this morning at the ALA Annual conference I discovered one really scary security issue with it. By default, Goodreader doesn’t require authentication or any warning to connect via Bonjour, and it allows you to browse AND DOWNLOAD any files that are so shared. Sitting in the Conference Center lobby, I was able to connect to two different iPads, view and grab files arbitrarilly, and push files TO the iPads as well.

Goodreader Security issue

Goodreader Security hole

This is INCREDIBLY SCARY. In the first 2 minutes, I saw files that had credit card information, passwords, bank account information, and more.

If you are using Goodreader and are connected to any public wifi point, make sure that you have gone into Settings, Other Settings, and make sure that Ask Permission Before Connecting is ON.

12 thoughts on “Goodreader & the iPad

  1. I don't think your analysis is accurate, though the risk may be. GoodReader doesn't maintain a WebDAV server for sharing over Bonjour unless the WiFi-transfer [sic] dialog appears on screen. You have to tap the Wi-Fi icon, and then the server starts up.

    If these two people on the same network were running GoodReader, then they had to have this set in this way. It is more likely they were using another piece of software, like Air Sharing HD, which can maintain a persist Bonjour-based WebDAV connection.

    However, in checking both GoodReader and Air Sharing HD, I see that neither use port 4242 by default. GoodReader uses port 8080; Air Sharing HD uses port 80 (for nonsecure) and 443 (for SSL/TLS self-signed).

    So the two people on the network that you identified are likely using another piece of software that sets the port to 4242, or used that port in the “security through obscurity” model, not knowing that Bonjour was advertising their iPads as servers.

    I don't think GoodReader is to blame at all here. It scans for Bonjour-accessible WebDAV and FTP servers on the local network; it doesn't make them available in the way you suggest.

  2. Glenn: Thank you for the follow up! I'm almost certain it was Goodreader natively, in that I contacted the individual in question, and when she followed the instructions I gave, I was no longer able to connect.

    I will follow up with her, and get a better idea of what she was using in order to make sure my instructions are accurate.

  3. I'm one of the iPad owners. I wasn't using any other software; I don't even know what bonjour or WebDAV are… All I did was access Goodreader at the convention center via its wifi network. I wasn't required to change any settings on my iPad to do so.

  4. To clarify: I didn't access Goodreader via wifi. Wifi was connected when I opened Goodreader.

  5. Fascinating. What you're describing is not how GoodReader works, so I'm confused. Also, the “4242” in the display for you and the other person is not the port (sort of a numbered cubbyhole attached to an Internet address) used by GoodReader by default.

    After testing this a few times, there's no way that I can see that GoodReader would have been sharing your connection, which is what makes this strange. Have you or griffey contacted the makers of the software to find out why this happened?

  6. I replied above. Port 4242 isn't used by default, so someone must have changed it. Do Jennifer and Sara work for a firm that would have configured GoodReader for them?

  7. I'll agree, this is very strange. I followed up with Jennifer by email, and as it turns out, the file that I accessed wasn't in Goodreader at all. It isn't clear to me at this point what on the iPad was allowing the connectivity between the two ipads…but whatever it is, it appears to be a default setting somewhere, as I was able to recreate this time and time again on shared wifi with different iPads.

    I don't have 2 iPads, or I'd do testing here and root out the cause. You're completely right…it's most likely some other program that created the hole…and after some quick Googling, it appears that Quick Office might be the culprit…it uses 4242 as it's port.

  8. Good sleuthing. I'm still unclear what Jennifer and Sarah were doing (perhaps they were running Quick Office, not GoodReader, and confused the names?), but this sounds more likely.

    Air Sharing HD has a WebDAV-sharing feature, too, which you can turn on, but it has some security recommendations, too.

  9. I was running Goodreader. As a matter of fact, I could see other folks' iPads, too, just like Jason. I wasn't running Quickoffice since there is no way to run two apps simultaneously.

Comments are closed.