reader feedback 45
A cell application constructed via a third party for the RSA security convention in San Francisco this week became discovered to have a few security considerations of its personal—together with tough-coded protection keys and passwords that allowed a researcher to extract the conference’s attendee record. The convention organizers stated the vulnerability on Twitter, however they say that handiest the first and final names of 114 attendees had been exposed.
— RSA conference (@RSAConference) April 20, 2018
The vulnerability was discovered (as a minimum publicly) by way of a security engineer who tweeted discoveries all over an examination of the RSA convention mobile app, which changed into developed through Eventbase know-how. inside 4 hours of the disclosure, Eventbase had fixed the facts leak—an API call that allowed anybody to download facts with attendee tips.
if you attended #RSAC2018 and spot your first name there – sorry! ?pic.twitter.com/YrgZo6jHDu
— svbl (@svblxyz) April 20, 2018
having access to the attendee list required registering an account for the software, logging in, and then grabbing a token from an XML file stored by using the utility. because registration for the application handiest required an electronic mail address, any one who might dump the files from their Android machine might achieve the token after which insert it into a web-based mostly software interface call to down load attendee names. while the SQLite database downloaded was encrypted, an additional API name on condition that key.
a different SQLite database that can nonetheless be pulled down by the use of the utility’s APIs isn’t encrypted, and it includes more own information, together with names, addresses, mobile numbers, business names, and social media account links. Ars looked at that database, and it seems to comprise simplest vendor and speaker information, so it be probably deliberately insecure since it’s less delicate.
this is the second time an RSA cellular application has leaked attendee information. In 2014, an utility built by way of yet another developer, QuickMobile, became discovered via Gunter Ollmann (who became at that time at IOactive) to have a SQLite database containing very own counsel on registered attendees.