Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

9/5/2013
12:05 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Vuln. Confirmed In Yahoo! Fantasy Football Mobile App

NT OBJECTives discovered that the mobile app was vulnerable to session hijacking

IRVINE, CA – September 5, 2013 – Are you ready for some football!? NT OBJECTives, Inc., provider of the most automated, comprehensive and accurate web application security software, services and SaaS, has confirmed a mobile web application vulnerability in a recent previous version of the popular Yahoo! Fantasy Football application that, when hacked, allowed individuals to change team line-ups and post imposter comments. Users who have not updated their mobile app to the most recent version are at risk of having their line-ups manipulated by other league managers or troublemaking hackers.

While conducting vulnerability testing, NT OBJECTives discovered that the Yahoo! Fantasy Football mobile app was vulnerable to session hijacking, the process of authenticating the user and ensuring an attacker isn't impersonating a user or eavesdropping on the service. The mobile web application vulnerability allowed an attacker to impersonate another player on message boards and manipulate other players' lineups, putting injured or poor performing players in the weekly lineup, while benching top-seeded players on that individual's team.

"Our research shows that very few mobile apps are developed and tested with security in mind. One of the most common security mistakes made during the development of mobile web applications is related to session management," said Dan Kuykendall, co-CEO and CTO of NT OBJECTives. "In most cases, a vulnerability in any single area isn't a significant liability. However, the more mistakes that are made, the easier it is to attack the application, and that was the case with Yahoo's fantasy football mobile application."

While this vulnerability doesn't represent a major risk for people, it is an example of the many vulnerable mobile applications with weak or nonexistent session management. This points to a larger trend of insecure mobile applications being developed and delivered too quickly without proper security testing. It also serves as a reminder that when users fail to update their mobile apps, which they often do, they may be vulnerable to a security breach.

NT OBJECTives identified a number of instances where best practices in web application security were not followed during development, contributing to the application's vulnerability issues:

· The API used by the mobile app lacked the use of SSL, so even a simple rogue WiFi hotspot could see the traffic between the mobile app and the Yahoo! Fantasy Football API.

· The session cookies lasted too long. Once the session tokens were stolen, the attacker could continue to impersonate that user for a very long time. Test sessions continued to work for over a month, with the ability to send query requests and roster changes for even longer.

· The application lacked the use of a NONCE (number used once) or private token to sign the requests to confirm their legitimacy, instead using a simple session cookie.

· The requests from the mobile web application included full blown SQL statements revealing the tables and columns, opening the door to SQL injection vulnerabilities. This example skips real SQL injection for now, as it was intended to change the victim's lineup. To do so, the attacker simply needed to look at the SQL statement, and see that the value to the 'mbody' column is an XML document of the full lineup. By simply extracting that XML, the hacker could make any desired changes and then toss it back into the SQL statement and send it on.

"Imagine a scenario where the hacker provides WiFi access on draft day and steals everyone's session tokens. During the season, he can then change the lineup of his opponents whenever he wants to ensure a win for the week," said Kuykendall. "Mobile web applications store information about the client, like a secret encoder ring, and the server stores all the secret decoder rings. If the server recognizes the secret, it knows the request is valid. When using shared secrets, developers must be sure both the client and server know the value, and that once the secret token is given to the client, it is never again transmitted."

Yahoo! was notified of the vulnerability and the newest version now requires SSL. However, the vulnerability still exists for mobile users who have not updated the application. For more information and to see a demonstration of how the mobile hack works, see Kuykendall's video, "Dan Hacks Fantasy Football" at http://go.ntobjectives.com/l/8672/2013-09-04/dhg2h

NTOSpider's dynamic application security testing (DAST) solution allows companies to test mobile and web applications built with the newest programming technologies like JSON, REST, SOAP, HTML5 and AJAX.

Tweet: @ntobjectives finds @Yahoo #fantasyfootball Vuln. Change line-ups to win! Are you ready for some football? http://bit.ly/17rKzm2 #infosec

About NT OBJECTives, Inc.

NT OBJECTives, Inc. (NTO) is a provider of automated, comprehensive and accurate mobile and web application security software, services and SaaS. NTO's customizable suite of solutions includes application security testing, SaaS scanning and in-depth consulting services to help companies build the most comprehensive, efficient and accurate web application security program. NT OBJECTives is privately held with headquarters in Irvine, CA. For more information, visit www.ntobjectives.com or follow us on Twitter at @ntobjectives or @dan_kuykendall.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27605
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
CVE-2020-27606
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVE-2020-27607
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
CVE-2020-27608
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
CVE-2020-27609
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.