14 DAY TRIAL // Security researchers from Zscaler have put their Zscaler Application Profiler (ZAP) service to good use and they’ve identified a couple of vulnerabilities in the ESPN ScoreCenter iOS app – an official ESPN Inc. application which allows users to check out live scores, videos, news and alerts.
The first issue identified by the experts is a cross-site scripting (XSS) vulnerability. Although many might assume that mobile apps can’t be affected by such security holes because XSS is specific to web applications, in reality, many mobile apps are actually web pages.
“Many mobile apps are actually just web pages displayed in a WebView control or more commonly web content mixed in with native controls and such is the case for ESPN ScoreCenter. As with many web apps, when user supplied content isn't properly sanitized, active content, such as JavaScript can be injected,” Zscaler’s Michael Sutton explained.
This XSS vulnerability could be exploited to steal user authentication cookies but, in this case, experts have identified another vulnerability in ESPN ScoreCenter, which can be leveraged by cybercriminals to steal login credentials without much hassle.
They’ve found that the iOS app actually sends authentication credentials in clear text. This means that an attacker that’s sniffing traffic on the network could easily steal usernames and passwords.
It’s worth noting that during normal logins, the password is sent via HTTPS. However, when the account is created, a simple HTTP connection is used, allowing an attacker to gain access to the sensitive information.
Experts emphasize that such vulnerabilities are more dangerous when they affect mobile apps because, unlike on a computer, users don’t see the address bar and they don’t know if the information is transmitted via a secure HTTPS connection.