VPN Articles and News

Official NFL App Leaked User Credentials

Saturday, April 11th, 2015

Just days before the Super Bowl, unarguably the biggest sporting event of the year, the official NFL app was found to contain a serious security flaw that not only compromised user credentials but also exposed personal data of the users to hackers and criminals. The vulnerability, which was found to affect both the iOS and Android versions of the official NFL app, was discovered by the researchers working at mobile data gateway provider Wandera. The news about the security loophole must have come as a rude shock to millions of NFL fans who rely on the app to watch their favorite teams in action.

Security experts at Wandera discovered that while the NFL app allowed the users to sign in securely, it leaked their username and password details via a secondary unencrypted API call. The researchers also discovered that once the login process was successful, the app stored sensitive information, including username and email address, without encryption in a simple cookie file. The information stored on the cookie was then accessed every time a call was made to the official NFL website.

The glaring security vulnerability makes it possible for hackers to perform Man-in-the-middle kind of attacks and steal confidential data from the users. Also, since the user profile page on NFL.com is not encrypted, the flaw could allow the attackers to steal even more sensitive information about the users (including but not limited to date of birth, phone number, address and occupation). The risk of attacks was especially high during the time of Super Bowl since millions of NFL fans were expected to watch the game through the official app.

It is not yet clear whether the loophole existed only in the official NFL app or whether it was also present in other NFL products like NFL Fantasy Football or NFL Now. Also, the team working on the vulnerability at Wandera could not say for sure whether the credit card information stored on the NFL website was visible to attackers.

Researchers have warned that the flaw could also expose users to more severe forms of hacking attacks especially if they relied on public Wi-Fi networks for connecting to the internet. Since a lot of people use a single username/password combination for multiple websites, it could lead to compromise of email and social networking accounts. What’s worse, personal details revealed by the NFL website (including Date of birth, phone number and address) could be exploited by attackers for phishing, identity theft or social engineering attacks. Security experts have advised users of the app to change passwords of their email and social networking accounts as a precautionary measure.

After the security flaw was discovered, NFL decided to address the measure to ensure the security of the app users. Users of the app won’t be required to update the software since the fix only made changes to the servers which connected to the app. The whole episode once again reminds us that even the most trusted apps could have glaring security loopholes within them.

April 11, 2015

Leave a Reply

Your email address will not be published. Required fields are marked *

8 + 1 =