After a user logs out of the iOS application, the server should be destroying the user's session. However, this is not occurring in the iOS application.
When the log out request is made, the following request and response is sent and received from the server:
POST /apn-unregister HTTP/1.1 Host: www.irccloud.com Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cookie: session=1.eaf395c450d6ad52023804d9846b7376 Accept-Language: en-us Accept: / Content-Length: 117 Connection: keep-alive User-Agent: IRCCloud/1.8 (iPhone; en; iPhone OS 6.1.6)
The session identifer "1.eaf395c450d6ad52023804d9846b7376" is not destroyed and can be re-used over an over again. If this cookie is captured or leaked, an attacker would have persistent access to a victim's account.