page contents When you go to a security conference, and its mobile app leaks your data – The News Headline

When you go to a security conference, and its mobile app leaks your data

Amplify / Screenshots of the RSA Convention utility from the Google Play Retailer. The app’s Internet interface leaked attendee knowledge when provided with a token acquired by means of registering the app.

Google Play Retailer

A cell utility constructed by means of a 3rd celebration for the RSA safety convention in San Francisco this week was once discovered to have a couple of safety problems with its personal—together with hard-coded safety keys and passwords that allowed a researcher to extract the convention’s attendee checklist. The convention organizers said the vulnerability on Twitter, however they are saying that simplest the primary and final names of 114 attendees have been uncovered.

The vulnerability was once found out (a minimum of publicly) by means of a safety engineer who tweeted discoveries all the way through an exam of the RSA convention cell app, which was once evolved by means of Eventbase Era. Inside 4 hours of the disclosure, Eventbase had fastened the information leak—an API name that allowed any person to obtain knowledge with attendee knowledge.

Getting access to the attendee checklist required registering an account for the applying, logging in, after which grabbing a token from an XML record saved by means of the applying. Since registration for the applying simplest required an electronic mail cope with, any person who may unload the information from their Android instrument may download the token after which insert it right into a Internet-based utility interface name to obtain attendee names. Whilst the SQLite database downloaded was once encrypted, every other API name only if key.

Some other SQLite database that may nonetheless be pulled down by the use of the applying’s APIs isn’t encrypted, and it incorporates extra non-public knowledge, together with names, addresses, telephone numbers, corporate names, and social media account hyperlinks. Ars checked out that database, and it sounds as if to comprise simplest dealer and speaker knowledge, so it is most likely deliberately insecure as a result of it is much less delicate.

That is the second one time an RSA cell utility has leaked attendee knowledge. In 2014, an utility constructed by means of every other developer, QuickMobile, was once discovered by means of Gunter Ollmann (who was once at the moment at IOactive) to have a SQLite database containing non-public knowledge on registered attendees.

Leave a Reply

Your email address will not be published. Required fields are marked *