Tuesday, January 27, 2015

Can You Be Insecure Playing for the NFL? Sure, if you're an app.

The National Football League's official app for both iOS and Android puts users at risk by leaking their usernames, passwords, and e-mail addresses in plaintext to anyone who may be monitoring the traffic, according to a report published just five days before Superbowl XLIX, traditionally one of the world's most popular sporting events. 

(You can stop reading here. Trust me, it just gets worse.)

As Ars has chronicled in the past, large numbers of people use the same password and e-mail address to log into multiple accounts. That means that people who have used the NFL app on public Wi-Fi hotspots or other insecure networks are at risk of account hijackings. The threat doesn't stop there: the exposed credentials allow snoops to log in to users' accounts on http://www.nfl.com, where still more personal data can be accessed, researchers from mobile data gateway Wandera warned. Profile pages, for instance, prompt users to enter their first and last names, full postal address, phone number, occupation, TV provider, date of birth, favorite team, greatest NFL Memory, sex, and links to Facebook, Twitter, and other social networks. Combined with "about me" data, the personal information could prove invaluable to spear phishers, who send e-mails purporting to come from friends or employers in hopes of tricking targets into clicking on malicious links or turning over financial data. Adding to the risk, profile pages are transmitted in unencrypted HTTP, making the data susceptible to still more monitoring over unsecured networks, the researchers reported.

"Wandera's scanning technologies have discovered that after the user securely signs into the app with their NFL.com account, the app leaks their username and password in a secondary, insecure (unencrypted) API call," a report published Tuesday warned. "The app also leaks the user’s username and e-mail address in an unencrypted cookie immediately following login and on subsequent calls by the app to nfl.com domains." The app allows users to make a variety of in-app purchases.