Researchers have uncovered some worrying holes in the RSA 2014 Conference app for iOS and Android, leaking data of the thousands of users running the software on their phones.
The app, ironically one designed to help people around this week’s security event, contains a weakness leaving it open to man-in-the-middle attacks, where an attacker could inject code into the login sequence to steal credentials.
“I have no idea why the app developers chose to do that, but I’m pretty sure that the folks who downloaded and installed the application are unlikely to have thought that their details we being made public and published in this way. Marketers love this kind of information though,” Gunter Ollmann, chief technology officer for IOActive.
“Some readers may think I’m targeting RSA, and in a small way I guess I am. Security flaws in mobile applications (particularly these rapidly developed and targeted apps) are endemic, and I think the RSA example helps prove the point that there are often inherent risks in even the most benign applications.
“I’m betting that RSA didn’t even create the application themselves. The Google Play store indicates that a company called QuickMobile was the developer.”
It appears QuickMobile, whch focuses on apps for conferences and events, has created a number of aps for well known brands, including Adobe and McDonald’s. Its website says Microsoft, Dell and Disney are customers too.
Neither RSA nor QuickMobile had responded to a request for comment at the time of publication.
Ollmann had one piece of advice for users: don’t download the RSA Conference app. “Readers of this blog may want to refrain from downloading the RSA Conference 2014 (and related) mobile applications – unless you’re a hacker or marketing team that wants to acquire a free list of conference attendees names, positions and employers.”
He told TechWeekEurope RSA had been notified. “We’ve advised them and EMC [RSA’s parent company] of the vulnerabilities and we’ll let them decide on how to resolve the issues (if they feel they need fixing – which I hope they do fix).”
Are you a security expert? Try our quiz!
Customer adoption of AI services embedded in cloud services continues to deliver results for Microsoft,…
TikTok's 'secret source' algorithm is so core to ByteDance, it would rather shut down US…
After relocating from California to Texas in 2020, Oracle's Larry Ellison now reveals plan to…
Share price hit after Meta admits heavy AI spending plans, after posting strong first quarter…
For third time Google delays phase-out of third-party Chrome cookies after pushback from industry and…
Elon Musk firm touts cheaper EV models, as profits slump over 50 percent in the…