Tuesday, January 27, 2015
Lack of encryption makes official NFL mobile app spearfisher's dream.
Lack of encryption makes official NFL mobile app a spear phisher’s dream
Researchers: Usernames, passwords, and e-mail addresses transmitted in the clear.
by Dan Goodin - Jan 27 2015, 7:40am PST
NFL Mobile app login screens that result in the vulnerability.
Wandera
Verizon sucks - TGFP.
The National Football League's official app for both iOS and Android puts users at risk by leaking their usernames, passwords, and e-mail addresses in plaintext to anyone who may be monitoring the traffic, according to a report published just five days before Superbowl XLIX, traditionally one of the world's most popular sporting events.
As Ars has chronicled in the past, large numbers of people use the same password and e-mail address to log into multiple accounts. That means that people who have used the NFL app on public Wi-Fi hotspots or other insecure networks are at risk of account hijackings. The threat doesn't stop there: the exposed credentials allow snoops to log in to users' accounts on http://www.nfl.com, where still more personal data can be accessed, researchers from mobile data gateway Wandera warned. Profile pages, for instance, prompt users to enter their first and last names, full postal address, phone number, occupation, TV provider, date of birth, favorite team, greatest NFL Memory, sex, and links to Facebook, Twitter, and other social networks. Combined with "about me" data, the personal information could prove invaluable to spear phishers, who send e-mails purporting to come from friends or employers in hopes of tricking targets into clicking on malicious links or turning over financial data. Adding to the risk, profile pages are transmitted in unencrypted HTTP, making the data susceptible to still more monitoring over unsecured networks, the researchers reported.
"Wandera's scanning technologies have discovered that after the user securely signs into the app with their NFL.com account, the app leaks their username and password in a secondary, insecure (unencrypted) API call," a report published Tuesday warned. "The app also leaks the user’s username and e-mail address in an unencrypted cookie immediately following login and on subsequent calls by the app to nfl.com domains."
The app allows users to make a variety of in-app purchases. The report said it's unclear if credit card information was exposed. A Wandera spokeswoman said NFL mobile apps for both both iOS and Android are vulnerable. Until the weakness is fixed, users should consider not using the app, since use over private networks and virtual private networking apps still expose the data to people with access to those services.
Post undated to add details about the Android version of the app.
Promoted Comments
BurgernautSeniorius Lurkiuset Subscriptor
jump to post
To my surprise, Apple's App Store Review Guidelines don't say "Apps that transmit sensitive information like user names and passwords without encryption will be rejected." Maybe they should.
And maybe that should be "strong encryption", otherwise lazy or clueless programmers will just use XOR.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment