Connection on website log-in page is insecure

Jan 27, 2015 15:09 GMT  ·  By

The NFL Mobile App, so popular these days due to the Super Bowl kick off approaching, has been found to leak the log-in credentials, as well as the email address, of the user during calls to the nfl.com domain.

The process occurs immediately after the user signs into the app in a secure manner, as a result of a secondary, unencrypted API call and an unprotected cookie.

The mobile application is designed to deliver breaking news, game highlights and scores to NFL fans.

Sensitive details are easily accessed

Mobile data gateway company Wandera found the flaws through its scanning technologies and learned that the leaked data can be used to access the NFL.com account. This procedure is also carried out via an insecure connection, which means that the traffic can be intercepted via a man-in-the-middle type of attack.

Apart from username and password, data associated with a profile on NFL.com includes email and postal address, phone number, occupation, date of birth, as well as links to social networks and NFL-related information (favorite team, greatest NFL memory).

Eldar Tuvey, CEO of Wandera, has said that 23% of the company’s US customers have at least one employee with the vulnerable app available on a personal device, and that he expects the number of installations to increase as Super Bowl approaches.

Payment data may also be exposed

“It is ironic that just like a quarterback being vulnerable to an interception, the NFL app is vulnerable to a man-in-the-middle attack that puts users' data at risk of interception by hackers,” Tuvey added.

As far as financial information is concerned, Wondera’s review of the security issues did not include purchasing merchandise and he could not reveal whether this type of info is also exposed on account of insecure traffic from the mobile app.

“We have not yet reviewed other NFL Enterprises apps, such as ‘NFL Now,’ ‘NFL Fantasy Football,’ etc. Potentially these feature similar vulnerabilities,” Tuvey said on Tuesday.

Another concerning risk is that users often rely on the same password to access multiple online accounts. In some cases, they are used to log into banking accounts or to access corporate data. Tuvey also says that, with the information currently obtained through the aforementioned security flaws, an attacker could initiate identity theft attacks on NFL fans.