While conducting vulnerability testing, NT OBJECTives discovered that the Yahoo! Fantasy Football mobile app was vulnerable to session hijacking, the process of authenticating the user and ensuring an attacker isn't impersonating a user or eavesdropping on the service. The mobile web application vulnerability allowed an attacker to impersonate another player on message boards and manipulate other players' lineups, putting injured or poor performing players in the weekly lineup, while benching top-seeded players on that individual's team.
"Our research shows that very few mobile apps are developed and tested with security in mind. One of the most common security mistakes made during the development of mobile web applications is related to session management," said Dan Kuykendall, co-CEO and CTO of NT OBJECTives. "In most cases, a vulnerability in any single area isn't a significant liability. However, the more mistakes that are made, the easier it is to attack the application, and that was the case with Yahoo's fantasy football mobile application."
While this vulnerability doesn't represent a major risk for people, it is an example of the many vulnerable mobile applications with weak or nonexistent session management. This points to a larger trend of insecure mobile applications being developed and delivered too quickly without proper security testing. It also serves as a reminder that when users fail to update their mobile apps, which they often do, they may be vulnerable to a security breach.
NT OBJECTives identified a number of instances where best practices in web application security were not followed during development, contributing to the application's vulnerability issues:
· The API used by the mobile app lacked the use of SSL, so even a simple rogue WiFi hotspot could see the traffic between the mobile app and the Yahoo! Fantasy Football API.
· The session cookies lasted too long. Once the session tokens were stolen, the attacker could continue to impersonate that user for a very long time. Test sessions continued to work for over a month, with the ability to send query requests and roster changes for even longer.
· The application lacked the use of a NONCE (number used once) or private token to sign the requests to confirm their legitimacy, instead using a simple session cookie.
· The requests from the mobile web application included full blown SQL statements revealing the tables and columns, opening the door to SQL injection vulnerabilities. This example skips real SQL injection for now, as it was intended to change the victim's lineup. To do so, the attacker simply needed to look at the SQL statement, and see that the value to the 'mbody' column is an XML document of the full lineup. By simply extracting that XML, the hacker could make any desired changes and then toss it back into the SQL statement and send it on.
"Imagine a scenario where the hacker provides WiFi access on draft day and steals everyone's session tokens. During the season, he can then change the lineup of his opponents whenever he wants to ensure a win for the week," said Kuykendall. "Mobile web applications store information about the client, like a secret encoder ring, and the server stores all the secret decoder rings. If the server recognizes the secret, it knows the request is valid. When using shared secrets, developers must be sure both the client and server know the value, and that once the secret token is given to the client, it is never again transmitted."
Yahoo! was notified of the vulnerability and the newest version now requires SSL. However, the vulnerability still exists for mobile users who have not updated the application. For more information and to see a demonstration of how the mobile hack works, see Kuykendall's video, "Dan Hacks Fantasy Football" at http://go.ntobjectives.com/l/8672/2013-09-04/dhg2h
NTOSpider's dynamic application security testing (DAST) solution allows companies to test mobile and web applications built with the newest programming technologies like JSON, REST, SOAP, HTML5 and AJAX.
Tweet: @ntobjectives finds @Yahoo #fantasyfootball Vuln. Change line-ups to win! Are you ready for some football? http://bit.ly/17rKzm2 #infosec
About NT OBJECTives, Inc.
NT OBJECTives, Inc. (NTO) is a provider of automated, comprehensive and accurate mobile and web application security software, services and SaaS. NTO's customizable suite of solutions includes application security testing, SaaS scanning and in-depth consulting services to help companies build the most comprehensive, efficient and accurate web application security program. NT OBJECTives is privately held with headquarters in Irvine, CA. For more information, visit www.ntobjectives.com or follow us on Twitter at @ntobjectives or @dan_kuykendall.