The official mobile application for the ongoing RSA Conference contains a half-dozen security vulnerabilities, according to an analysis performed by researchers from the security service provider IOActive.
IOActive chief technical officer Gunter Ollmann claims the most severe of the vulnerabilities could give an attacker the ability to perform man-in-the-middle attacks, injecting malicious code and stealing login credentials.
“If we were dealing with a banking application,” Ollmann writes, “then heads would have been rolling in an engineering department, but this particular app has only been downloaded a few thousand times, and I seriously doubt that some evil hacker is going to take the time out of their day to target this one application (out of tens-of-millions) to try phish credentials to a conference.”
While Ollmann notes that the man-in-the-middle vulnerability mentioned above is the most severe, he says the second most sever bug is actually more interesting. The application apparently downloads a SQLite database file that is then used to populate the app’s user interface with various conference information, like speaker profiles and schedules. Seems innocuous enough, but that database – for reasons that remain a mystery to Ollmann – contains the first and last names, employers, and titles of every user that has downloaded and registered with the application.
Ollmann admits he’s taking a bit of potshot at one of the premiere security industry conferences, but the point he is really trying to make, he claims, is a bigger one.
“Security flaws in mobile applications (particularly these rapidly developed and targeted apps) are endemic, and I think the RSA example helps prove the point that there are often inherent risks in even the most benign applications,” he said.