NFL Mobile App Vulnerability Poses Threat To Super Bowl Fans' Personal Data


[Editor's note: The NFL has addressed the vulnerability. Please see the update at the bottom of this story.]

Based on ProgrammableWeb's interpretation of a report on Threatpost, users of NFL Mobile (Android, iOS), a mobile application that the National Football League offers to its fans, could be at a heightened risk of exposing sensitive personal data due to the way the app transmits user credentials without encrypting them first. If true, the timing of the news could not come at worse time as the NFL and all of its fans gear up for the championship Super Bowl XLIX on Feb 1, 2015.

Due to the ease of reverse engineering a mobile app's API interactions using what's called a man in the middle (MITM) attack, many mobile apps are already highly vulnerable to the nefarious activities of hackers (see How Hackers Crack Supposed Secure And Private APIs). But, based on what we've read in the report, there could be an added level of risk to users of NFL Mobile depending on how they connect to the Web when using the app.

For example, when users connect to the Internet over any of many open WiFi networks that aren't password protected in a way that ensures Encryption of their data (such as those found in some airports, hotels, and coffee shops), any information that's transmitted over those networks in clear text is easily discoverable by hackers using readily available tools like Wireshark. According to the report in Threatpost, researchers at Wandera, a mobile data gateway provider, have discovered that NFL Mobile is doing exactly that; sending sensitive user login credentials in clear text by way of a "secondary, unencrypted API call." With those credentials, hackers can also gain access to additional user profile data that's being kept on the NFL's servers including "a user’s full name, address, phone number, and date of birth." 

In addition to the shared password problem whereby, through this vulnerability, hackers could gain access to the the same credentials that many users are invariably using to login to other applications and Web sites, gaining access to other personal data such as full name, address and date of birth is problematic because of how many companies use that same information to authenticate customers who have lost their passwords or who are dialing into call centers for other reasons (ie: insurance companies). The opportunity for identity theft in a situation such as this is severe.

Moreover, the vulnerability once again draws attention to the fast-growing and thorny problem of securing the APIs -- both documented and undocumented -- used by mobile and Web applications to "phone home" to the whatever host Web site they depend on for their functionality. Even when such transmissions are encrypted, they're not safe from prying eyes as evidenced by readily available MITM tools such as and Android-based reverse-engineering utilities like Packet Capture. Many of the last year's most highly publicized attacks and vulnerabilities including the Fappening, the Snappening, Instagram, and more recently MoonPig were based on the service providers' inability to properly secure their APIs against reverse engineering. 

For API providers, the challenge is proving to be daunting. Not only could sensitive user data get exposed as the result of an insecure API, so too can the secret credentials (i.e.: OAuth tokens) that mobile apps use to uniquely identify themselves and authenticate with the servers they rely on. As a result, when such credentials are discoverable, hackers can write software that poses as the original app and wreak havoc at scale. Though Pinterest has never disclosed what exactly happened in multiple attacks against its users in 2014, the evidence suggests that hackers gained access to the application secrets that Pinterest used to authenticate with Twitter so it could automatically post tweets on its users' behalf. The results were an untold number of unauthorized weight-loss tweets that linked to a site that was infected with malware.

[Update 1/29/2015: The NFL has reported that the vulnerability has been addressed and that no further action is required on the user's behalf. ProgrammableWeb contacted Wandera, the source of the original report.  According to the company's PR manager Erin Lockhart, Wandera can confirm that the fix applied by the NFL was effective for both the iOS and the Android versions of the application.]

Be sure to read the next Security article: ShieldSquare API Identifies and Denies Malicious Bot Activity