Update – As if the National Football League doesn’t have enough to worry about during Super Bowl week with deflated footballs and cheating allegations marring its most important event, a security firm has found a glaring vulnerability in its mobile application.
Just in time for the big game, NFL Mobile apparently leaks user profile data via a secondary API call that is not encrypted.
Researchers at Wandera, a mobile data gateway provider, said that once a user signs in to the NFL Mobile app, the user’s credentials are sent in the clear in a secondary, unencrypted API call. The username and user’s email address were also found in an unencrypted cookie that’s created upon login and used in subsequent calls made by the mobile application to different NFL.com domains.
A Wandera spokeperson told Threatpost that the NFL was notified last Monday and has yet to reply.
“With these credentials, an attacker can access the user’s full NFL profile at [NFL.com],” Wandera said in a statement. “This profile page is unencrypted as well, so the registered personal data is also vulnerable to man-in-the-middle intercept.
“It is unclear whether any credit card information would also be visible, as Wandera’s security team did not attempt to purchase any NFL Merchandise during the review,” the company added.
The National Football League reached out to Threatpost on Wednesday and said the vulnerability has been addressed.
“We continuously monitor and evaluate our systems for any security issues and remediate them as quickly as possible,” said an NFL Media spokesperson.
Using these credentials, an attacker can snag a user’s full name, address, phone number, date of birth and other data that could contribute to identity theft and attacks against social media accounts if credentials are re-used.
Wandera CEO Eldar Tuvey said 23 percent of the company’s customers in the United States have an employee using the app. Given the Super Bowl is Sunday, traffic via the app and NFL.com domains figures to grow exponentially the rest of the week, as will the risk for compromise right along with it.
“A very high percentage of users reuse passwords across multiple accounts, so the email/password combination for NFL Mobile may also be the same as those used to access sensitive corporate data, banking sites, or other high value targets,” Tuvey cautioned. “Moreover, date-of-birth, name, address and phone number are the exact building blocks required to initiate a successful identity theft from the NFL fans.”
> The NFL Mobile user’s credentials are sent in the clear in a secondary, unencrypted API call. > > Tweet
Mobile applications are a continuous sore spot with security experts. They’re often a hacker’s easiest route to compromising a user’s credentials or data, rather than attacking the mobile device itself. Apps are also criticized for requesting excessive permissions, putting user privacy further at risk. According to the results of a study conducted by the U.K.’s Information Commissioner’s Office (ICO), most of the top 50 download mobile apps are greedy in request access to other services on the device, or personal user data stored on the device.
This article was updated on Thursday with a comment from the National Football League.