Vulnerabilities / Threats //

Vulnerability Management

1/27/2015
07:30 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

NFL Mobile Sports App Contains Super Bowl-Sized Vulns

Lack of protections puts users at risk of exposed information by way of man-in-the-middle attacks.

[UPDATED 1/27/15 with comments from the NFL]

Russell Wilson and Tom Brady aren't the only ones who might be due for an interception this Super Bowl Sunday. As the Seahawks and the New England Patriots lock horns on the gridiron, football fans might find that their data is what's being intercepted off the field. According to a report by mobile data gateway firm Wandera, the popular NFL Mobile app has a vulnerability that leaves users' sensitive personal data exposed to man-in-the-middle attacks.

Wandera performed scanning on the app to find that following a successful login by the user through their NFL.com account, the NFL Mobile app leaks their credentials in an unencrypted API call. Additionally, it leaks the username and email address in an unencrypted cookie immediately after login and on subsequent calls by the app to the NFL.com domain. 

That trio of details is enough to get the hacker into a user's full profile on the main NFL webpage. And because that page is also unencrypted, it's trivial for the attacker to siphon off the user's registered personal data through a man-in-the-middle attack. This profile information includes the user's address, phone number, occupation, date of birth, occupation, and gender.

According to Wandera, the scan was a preliminary probe—its researchers didn't try to attempt making a purchase during its review to confirm whether credit card information would also be visible, nor did they check out other apps like NFL Now or NFL Fantasy Football. However, given the rampant reuse of passwords, this might not stop attackers from gaining access to other accounts.

"A very high percentage of users reuse passwords across multiple accounts, so the email/password combination for NFL Mobile may also be the same as those used to access sensitive corporate data, banking sites, or other high value targets," says Eldar Tuvey, CEO of Wandera, which reports that almost a quarter of the users in its customer base have NFL Mobile installed on their devices. "Moreover, date-of-birth, name, address and phone number are the exact building blocks required to initiate a successful identity theft from the NFL fans.”

According to an NFL spokesman, the league is aware of the vulnerability and has made fixes to protect users on the back-end of the app, so no updates are necessary.

"We’ve looked into this vulnerability and it’s been addressed," says Alex Riethmiller, spokesman for the NFL. "We continuously monitor and evaluate our systems for any security issues and remediate them as quickly as possible." 

Professional sports websites and apps are a popular target amongst criminal hackers due to the popularity of sports among such a wide range of demographics. For example, in 2013 hackers targeted NFL fans through fake Facebook pages that were seeded with malicious links serving Zeus malware. And in 2012, MLB.com was found to be serving fake antivirus malware through malicious ads delivered through an ad network.

Hackers particularly like to leverage high visibility events like the Super Bowl to take advantage of people's propensity for heightened curiosity and lowered caution about sites offering up the latest news about the event. In fact, back in 2007, the Miami Dolphin's websites were hacked and serving up malware to visitors at least a week before the team hosted the Super Bowl. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sonofsaf
50%
50%
sonofsaf,
User Rank: Apprentice
1/31/2015 | 8:25:57 AM
Re: artificially generated stampedes
Truth be told, I'm not terribly concerned about manipulation of the NFL mobile app.  I'm far more worried about Stingray technology, bulk emails/text messages, reverse 911 platforms, wireless hacks and particularly social media real-time saturation.  Give it some thought --- the threats or emergency evac orders woudl come from people you trust who were inadvertently taken in by a hoax.  The website does a far better job of explaining it.  Pretty generic really --- it's just the modern day, technological equivalent of shouting "fire" in a crowded theater.  60,000 - 90,000 active cell phones in every NFL stadium.
Broadway0474
50%
50%
Broadway0474,
User Rank: Apprentice
1/29/2015 | 10:47:23 PM
Re: artificially generated stampedes
sonofsaf, a "stampede"? Did I miss something? How would that be generated? I am not poking fun ... just curious how we went from an app vulnerability to people getting crushed to death like they're at an English soccer match.
aws0513
100%
0%
aws0513,
User Rank: Ninja
1/29/2015 | 9:07:22 AM
Re: NFL Response?
@Ericka - Thanks for the updated info.  I wish I could provide similar answers to regulatory auditors.
ODA155
100%
0%
ODA155,
User Rank: Ninja
1/28/2015 | 8:32:44 PM
Re: NFL Response?
@Ericka Chickowski, "...after further review of the alleged mobile app vulnerabilty(s), we don't care and the flag has been picked up... nothing to see here folks, except the Super Bowl."

Seriously, I know you're not surprised, heck after everything that's happenedthis NFL season, I'd say their (NFL) response is very fitting.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/28/2015 | 11:17:32 AM
Re: NFL Response
"We've looked into this vulnerability and it's been addressed." -- NFL spokesman.

That's reassuring. Unbelievable... 
mtanenbaum801
50%
50%
mtanenbaum801,
User Rank: Apprentice
1/28/2015 | 10:04:00 AM
NFL Response
You've got to be kidding.  Their reponse is a joke and should be treated as such.  This is not a vulnerability because we say so and we are going to hold our breath till we turn blue if you don't believe us?  Well, ok, maybe you think your users are stupid.  But they are not.  That is still a stupid-bowl sized hole.
Ericka Chickowski
50%
50%
Ericka Chickowski,
User Rank: Moderator
1/28/2015 | 9:11:28 AM
Re: NFL Response?
AWS0513: Please see the updated story for NFL comments. Thx!
sonofsaf
50%
50%
sonofsaf,
User Rank: Apprentice
1/27/2015 | 6:56:01 PM
artificially generated stampedes
The biggest threat here is an undiscussable one - the notion of an "artificially generated stampede."  NFL stadiums are more suscpetible than other large, confined crowds (ballparks, motor speedways, etc.).  agsaf.org
ODA155
50%
50%
ODA155,
User Rank: Ninja
1/27/2015 | 11:34:27 AM
Re: NFL Response?
@aws0513... here's your response...

...as a referee stands at mid-field and makes the announcement "Reports of possible vulnerabilities to man-in-the-middle attacks against our mobile apps and are under further review...", then he disappears under the hood to watch cartoons for about 5 minutes.

The problem is, the NFL is no different from any other corporation trying to sell its product, look at the article Kelly Jackson Higgins did last week about the Progressive dongle, and they're an insurance company, nobody cares... if something happens, just reach into the can and grap a prepared message or put someone on Roger Goodell's "double-secret-probation list" until it all blows over.

As for the Super Bowl... the Cheaters versus the Loud-mouth upstarts, no thanks my neighbors and I have have decided to have a "mini" Humphrey Bogart film festival... 1st showing, The African Queen, 2nd The Maltese Falcon and ending with Casablanca. We could start a little earlier and have Key Largo as a bonus.
aws0513
50%
50%
aws0513,
User Rank: Ninja
1/27/2015 | 9:34:27 AM
NFL Response?
Just curious if the NFL has any formal response to these findings about their app?  Any remediation efforts?
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.