Every once in a while, 280 characters can make people scratch their heads. Learning about a flaw in a mobile designed for a conference is one of those things that people find puzzling. Or not. 

Many members of the community are feeling a wide range of emotions – from unsurprised to angry – in the aftermath of learning about a RSAC app. Few, however, are really shocked by the reported

Sophos’s NakedSecurity reported that a Twitter user at RSAC 2018 discovered a security problem in the conference app. RSAC tweeted a confirmation of the breach confessing, Our initial investigation shows that 114 first and last names of RSA Conference Mobile App users were improperly accessed. No other personal information was accessed, and we have every indication that the incident has been contained. We continue to take the matter seriously and monitor the situation.” 

The database was discoverable via an unsecured API that could be accessed via credentials hard-coded into the app. According to Twitter threads, the security researcher who discovered the flaw messaged RSAC to alert them to some security issues with their conference app. Only six hours later, the researcher thanked both Eventbase Tech and RSAC for quickly fixing the data leak, applauding the great response time and confirming that the attendee data was no longer accessible through the reported method. 

It’s not uncommon for a conference to encourage attendees to use a mobile app to navigate their way through the exhibits, speakers, and additional events, even though the week’s schedule and other pertinent details of the event are available on the conference website. Some conferences will advise downloading the app for “last-minute changes or updates.” Many do, especially at a conference like RSAC, because there’s an inherent trust that the mobile app for a security conference is safe. But no technology is ever completely free from risk, which attendees learned the hard way back at RSAC 2014 when a mobile application exposed the personal information of attendees.

Ironically, a search for “RSA leaky conference app” resulted in a link to an RSAC presentation by a Kaspersky Labs security researcher who spoke earlier this week about leaking ads. The description of his talk? “Most developers currently use HTTPS to protect user data. But that doesn’t mean their are secure.”

Source link


Please enter your comment!
Please enter your name here