a. WISPr is publicly documented. You can read about how it works in the document. As for user creds, I would suspect that maybe the ATT client is using a form of EAP-SIM over WISPr but thats just my guess. It could also be something much simpler that doesn't even bother to verify "credentials" in the normal sense. Whatever is going on - its built in "under the hood".
b. The author of the article is speculating when worrying about buffer overflows and javascript execution. I doubt most wispr parsers even use traditional XML parsers. Besides, its much easier to spoof an AP or execute a man-in-the-middle attack than anything else.
c. The magic whitelist as you call it, is publicly documented and is called "Captive Networks". You can read about it in the iOS documentation. But I suppose its more fun to try to bash without any knowledge.
You are so off-base it's not even funny. I can't believe 3 people upvoted you.
I'm talking about native iPhone apps that try to provide some WISPr-related functionality -- the kind of apps ATT would pay somebody to do if WISPr wouldn't be "build in", OR, if they actually wanted to provide more features than just the basic login.
And the "magic whitelist" is a whitelist on the iPhone itself, that disables the iOS "built in" WISPr support so that native apps work. One of these apps is Boingo.
But you are right about one thing: sometimes I also feel that it seems easier for people to bash on the internet without any knowledge.
b. The author of the article is speculating when worrying about buffer overflows and javascript execution. I doubt most wispr parsers even use traditional XML parsers. Besides, its much easier to spoof an AP or execute a man-in-the-middle attack than anything else.
c. The magic whitelist as you call it, is publicly documented and is called "Captive Networks". You can read about it in the iOS documentation. But I suppose its more fun to try to bash without any knowledge.