With only a few days remaining before the Superbowl, it is now emerging that the fans might be in for some surprises-and we are not talking sporting surprises here. It has been reported that the official NFL app is vulnerable to hacking, simple hacking at that.
While no app is completely secure, app developers take time to make sure that their creations are at least hard to crack by employing relatively complex encryption. This is especially so when the app is required to communicate with an external server, as indeed all apps at some point have to.
When communicating with an external server, an app should ideally send encrypted data which the server decrypts and executes the instruction before sending back information in encrypted form. The app then decrypts that information, making it legible for the user. According to the report, ”
“Wandera‘s scanning technologies have discovered that after the user securely signs into the app with their NFL.com account, the app leaks their username and password in a secondary, insecure (unencrypted) API call.” The report further said, “The app also leaks the user’s username and e-mail address in an unencrypted cookie immediately following login and on subsequent calls by the app to nfl.com domains.”
Encryption is important because it allows users keep their usernames, passwords and other log-in details secure, even if their traffic is being monitored.
Now, it turns out that the official NFL app does NOT send the user information to servers in encrypted form. This means that if a person is able to intercept a user’s traffic, he or she can read the log-in details in plain form.
The danger with such an event is that the log-in details for the app are the same for the NFL website. The NFL website contains a lot of personal information like sex, age, postal address, TV provider, phone number, workplace, date of birth, team supported, best NFL memory, and links to social networks like Twitter and Facebook. Therefore, if a hacker was to pass on the log-in details to a phisher, the person gets exposed to a wide variety of online risks. These include identity theft, financial fraud and phishing attack on loved ones.
The more worrying aspect of this kind of security lapse and that’s a massive understatement is that the log-in details that many people use on multiple websites and apps are the same. Many people use their main email as the username and one password on multiple sites. This means that should a hacker get access to their log-in details on the NFL app, they could potentially be exposed to attacks on multiple attacks. Now, if a person’s primary email is hacked into, a lot of damages could be visited on him or her.
Security experts advice NFL fans to desist from using the app until a proper solution is found. The NFL said that it had taken necessary measures by securing the servers but the danger is still present, at least until the app is properly updated to send encrypted information.
Ali Qamar is an Internet security research enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. He is the founder and chief editor at Security Gladiators, an ultimate source for cyber security. To be frank and honest, Ali started working online as a freelancer and still shares the knowledge for a living. He is passionate about sharing the knowledge with people, and always try to give only the best. Follow Ali on Twitter @AliQammar57
(Security Affairs – Official NFL, mobile)