Every once in a while, 280 characters can make people scratch their heads. Learning about a security flaw in a mobile app designed for a security conference is one of those things that people find puzzling. Or not.
Many members of the cybersecurity community are feeling a wide range of emotions – from unsurprised to angry – in the aftermath of learning about a leaky RSAC app. Few, however, are really shocked by the reported breach.
Sophos’s NakedSecurity reported that a Twitter user at RSAC 2018 discovered a security problem in the conference app. RSAC tweeted a confirmation of the breach confessing, “Our initial investigation shows that 114 first and last names of RSA Conference Mobile App users were improperly accessed. No other personal information was accessed, and we have every indication that the incident has been contained. We continue to take the matter seriously and monitor the situation.”
The database was discoverable via an unsecured API that could be accessed via credentials hard-coded into the app. According to Twitter threads, the security researcher who discovered the flaw messaged RSAC to alert them to some security issues with their conference app. Only six hours later, the researcher thanked both Eventbase Tech and RSAC for quickly fixing the data leak, applauding the great response time and confirming that the attendee data was no longer accessible through the reported method.
It’s not uncommon for a conference to encourage attendees to use a mobile app to navigate their way through the exhibits, speakers, and additional events, even though the week’s schedule and other pertinent details of the event are available on the conference website. Some conferences will advise downloading the app for “last-minute changes or updates.” Many do, especially at a conference like RSAC, because there’s an inherent trust that the mobile app for a security conference is safe. But no technology is ever completely free from risk, which attendees learned the hard way back at RSAC 2014 when a mobile application exposed the personal information of attendees.
Ironically, a Google search for “RSA leaky conference app” resulted in a link to an RSAC presentation by a Kaspersky Labs security researcher who spoke earlier this week about leaking ads. The description of his talk? “Most developers currently use HTTPS to protect user data. But that doesn’t mean their apps are secure.”