NFL Mobile App Leaks Unencrypted Credentials

The National Football League’s NFL Mobile application leaks unencrypted credentials putting personal user information at risk.

Update – As if the National Football League doesn’t have enough to worry about during Super Bowl week with deflated footballs and cheating allegations marring its most important event, a security firm has found a glaring vulnerability in its mobile application.

Just in time for the big game, NFL Mobile apparently leaks user profile data via a secondary API call that is not encrypted.

Researchers at Wandera, a mobile data gateway provider, said that once a user signs in to the NFL Mobile app, the user’s credentials are sent in the clear in a secondary, unencrypted API call. The username and user’s email address were also found in an unencrypted cookie that’s created upon login and used in subsequent calls made by the mobile application to different NFL.com domains.

A Wandera spokeperson told Threatpost that the NFL was notified last Monday and has yet to reply.

“With these credentials, an attacker can access the user’s full NFL profile at [NFL.com],” Wandera said in a statement. “This profile page is unencrypted as well, so the registered personal data is also vulnerable to man-in-the-middle intercept.

“It is unclear whether any credit card information would also be visible, as Wandera’s security team did not attempt to purchase any NFL Merchandise during the review,” the company added.

The National Football League reached out to Threatpost on Wednesday and said the vulnerability has been addressed.

“We continuously monitor and evaluate our systems for any security issues and remediate them as quickly as possible,” said an NFL Media spokesperson.

Using these credentials, an attacker can snag a user’s full name, address, phone number, date of birth and other data that could contribute to identity theft and attacks against social media accounts if credentials are re-used.

Wandera CEO Eldar Tuvey said 23 percent of the company’s customers in the United States have an employee using the app. Given the Super Bowl is Sunday, traffic via the app and NFL.com domains figures to grow exponentially the rest of the week, as will the risk for compromise right along with it.

“A very high percentage of users reuse passwords across multiple accounts, so the email/password combination for NFL Mobile may also be the same as those used to access sensitive corporate data, banking sites, or other high value targets,” Tuvey cautioned. “Moreover, date-of-birth, name, address and phone number are the exact building blocks required to initiate a successful identity theft from the NFL fans.”

Mobile applications are a continuous sore spot with security experts. They’re often a hacker’s easiest route to compromising a user’s credentials or data, rather than attacking the mobile device itself. Apps are also criticized for requesting excessive permissions, putting user privacy further at risk. According to the results of a study conducted by the U.K.’s Information Commissioner’s Office (ICO), most of the top 50 download mobile apps are greedy in request access to other services on the device, or personal user data stored on the device.

Most apps (85 percent) do not explain in clear language to users what information is collected, how it’s collected, nor how it’s used and disclosed. More than one-third, meanwhile, ask for excessive permissions such as access to the phone’s location data, device ID, camera, microphone, contacts and more. The availability and simple access to a privacy policy is also absent in most cases.

This article was updated on Thursday with a comment from the National Football League.

Suggested articles