STE WILLIAMS

No way, RSA! Security conference’s mobile app embarrassingly insecure

RSA has copped to a security vulnerability in the mobile app it served to attendees of its annual security conference, held this week in San Francsico.

The data encryption specialist credited security researcher “svbl” for discovering and reporting an issue that had left a list of attendees at the conference vulnerable to data harvesting.

The researcher found that the RSA 2018 mobile app, which attendees were encouraged to use as a way to schedule and navigate the show, left an API accessible to anyone with an account and allowed the researcher to access a list of over 100 attendees.

The harvested data consisted only of attendee names, and no other private information was believed to have been exposed. RSA says it has since remedied the issue and the app will no longer allow access to that API.

Fortunately, svbl tells El Reg it wasn’t possible to access the full attendee database and nobody else is believed to have been able to exploit the vulnerability, so damage appears thus far to have been minimal.

For most security companies this would be an embarrassing mishap and cause for a careful examination of development practices. For RSA, it’s just a trip down memory lane.

Back in 2014 security researcher Gunter Ollmann analyzed an RSA Conference app and found that it was so poorly written it would allow credentials stealing via a man-in-the-middle attack and exposed user’s personal information.

The timing was particularly awkward as that year’s conference was being partially boycotted after allegations surfaced that a backdoor in one of its cryptographic toolkits was orchestrated by the US government. RSA has maintained that it didn’t take the NSA’s money to bork its own products. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/20/rsa_security_conference_insecure_mobile_app/

  • 21/04/2018
  • adm
Comments are closed.