NFL Forced to Defend its Line as Wandera Identifies Potential Security Leak in Mobile App
Tuesday, January 27, 2015.
Super Bowl Sunday is very nearly upon us, but as the respective players of both the Seattle Seahawks and the New England Patriots prepare for one of the biggest games of their careers, the NFL is preparing to defend against a different type of offensive strike.
It was reported earlier today that the world’s first Mobile Data Gateway, Wandera, has discovered a severe security hole in the official NFL Mobile app, which leaves users' highly valuable personal information exposed to hackers.
The risk of this vulnerability is particularly high at this time, as users are likely to be accessing the app far more regularly than usual ahead of the biggest game of the season, this Sunday, 1 February.
Wandera’s scanning technologies have established that after a user securely signs into the app with their NFL.com account, the app leaks their username and password through a secondary, insecure, unencrypted API call. The app also leaks the username and email address in an unencrypted cookie immediately after the login is completed, as well as on subsequent calls by the app to NFL.com domains.
Once these credentials have been compromised, hackers can view the user’s full profile through NFL.com, giving them access to yet another unencrypted page with further registered personal data such as postal address, phone number, occupation, date of birth, social media profiles and more. However, it is unclear at this point whether this would include credit card information, as Wandera’s security team did not attempt to purchase any NFL merchandise during their review.
CEO of Wandera, Eldar Tuvey, commented on the discovery, "NFL Mobile is a relatively popular app with our US customers. It is ironic that just like a quarterback being vulnerable to an interception, the NFL app is vulnerable to a man-in-the-middle attack that puts users' data at risk of interception by hackers.
"23% of our US customers have at least one employee using the app, and we expect this to increase significantly as the big game approaches.
"We have not yet reviewed other NFL Enterprises apps, such as 'NFL Now', 'NFL Fantasy Football', etc. Potentially these feature similar vulnerabilities," continued Tuvey.
"A very high percentage of users reuse passwords across multiple accounts, so the email/password combination for NFL Mobile may also be the same as those used to access sensitive corporate data, banking sites, or other high value targets. Moreover, date of birth, name, address and phone number are the exact building blocks required to initiate a successful identity theft from the NFL fans."
Tuvey was quick to point out the impact this could have on enterprises, if employees are negligent in their approach to mobile security: "Mobile attacks are growing on all platforms, but it's clear that many businesses are still underestimating the severity and risk that smartphones present. The threats out there are real and changing every day. Fragmented, piecemeal security simply will not do anymore."
The mobile security firm’s CEO makes a very valid point, and attacks such as these could have potentially catastrophic consequences for companies all over the world if employees do not begin to better understand the dangers mobility can present to personal and corporate information when not securely protected.