[UPDATED 1/27/15 with comments from the NFL]
Russell Wilson and Tom Brady aren't the only ones who might be due for an interception this Super Bowl Sunday. As the Seahawks and the New England Patriots lock horns on the gridiron, football fans might find that their data is what's being intercepted off the field. According to a report by mobile data gateway firm Wandera, the popular NFL Mobile app has a vulnerability that leaves users' sensitive personal data exposed to man-in-the-middle attacks.
Wandera performed scanning on the app to find that following a successful login by the user through their NFL.com account, the NFL Mobile app leaks their credentials in an unencrypted API call. Additionally, it leaks the username and email address in an unencrypted cookie immediately after login and on subsequent calls by the app to the NFL.com domain.
That trio of details is enough to get the hacker into a user's full profile on the main NFL webpage. And because that page is also unencrypted, it's trivial for the attacker to siphon off the user's registered personal data through a man-in-the-middle attack. This profile information includes the user's address, phone number, occupation, date of birth, occupation, and gender.
According to Wandera, the scan was a preliminary probe—its researchers didn't try to attempt making a purchase during its review to confirm whether credit card information would also be visible, nor did they check out other apps like NFL Now or NFL Fantasy Football. However, given the rampant reuse of passwords, this might not stop attackers from gaining access to other accounts.
"A very high percentage of users reuse passwords across multiple accounts, so the email/password combination for NFL Mobile may also be the same as those used to access sensitive corporate data, banking sites, or other high value targets," says Eldar Tuvey, CEO of Wandera, which reports that almost a quarter of the users in its customer base have NFL Mobile installed on their devices. "Moreover, date-of-birth, name, address and phone number are the exact building blocks required to initiate a successful identity theft from the NFL fans.”
According to an NFL spokesman, the league is aware of the vulnerability and has made fixes to protect users on the back-end of the app, so no updates are necessary.
"We’ve looked into this vulnerability and it’s been addressed," says Alex Riethmiller, spokesman for the NFL. "We continuously monitor and evaluate our systems for any security issues and remediate them as quickly as possible."
Professional sports websites and apps are a popular target amongst criminal hackers due to the popularity of sports among such a wide range of demographics. For example, in 2013 hackers targeted NFL fans through fake Facebook pages that were seeded with malicious links serving Zeus malware. And in 2012, MLB.com was found to be serving fake antivirus malware through malicious ads delivered through an ad network.
Hackers particularly like to leverage high visibility events like the Super Bowl to take advantage of people's propensity for heightened curiosity and lowered caution about sites offering up the latest news about the event. In fact, back in 2007, the Miami Dolphin's websites were hacked and serving up malware to visitors at least a week before the team hosted the Super Bowl.