All but the most recent version of the mobile application for Yahoo’s popular fantasy football service are vulnerable to a session hijack attack in which an unauthenticated person could remotely change team lineups, post messages and perform other mischief on behalf of the legitimate user.
Developers can create session hijack vulnerabilities by failing to correctly implement session tokens or – as is the case here – by implementing weak session tokens that remain valid for too long. Attackers can exploit session hijack vulnerabilities in a number of ways ranging from the simple – stealing an unencrypted cookie as it travels from an app to a server – to the incredibly complicated.
“One of the most common security mistakes made during the development of mobile web applications is related to session management,” said Dan Kuykendall, the researcher that uncovered this bug.
Kuykendall, the co-CEO and CTO of the application security firm NT OBJECTives, explained in a video that Yahoo’s fantasy football service has a Web application that users can log into online. This service communicates with a Yahoo database that does all the real computing work for the fantasy football leagues. The Web app, Kuykenbdall claims, is pretty secure.
However, the mobile app routes its communications through an application programming interface before it accesses Yahoo’s fantasy football database. Kuykenbdall explains in the video that the mobile applications produce data when a user interacts with the app. This information then goes to the API where it is reorganized and sent along to the Yahoo database. At the same time, the API is constantly checking in on the app and pulling information from it. As it turns out, all the traffic between the app and the API travels in plain text, failing to employ secure sockets layer (SSL) or any other encryption.
Kuykendall told Threatpost in a phone interview that Yahoo has implemented a new API that uses SSL in the most recent version of its application, but users of old versions remain vulnerable to exploit because Yahoo has not disabled the old, API. Disabling the vulnerable API would render outdated versions of the app useless and compel most users to update to the newest version. Beyond these, there are a number of third-party fantasy football apps that use the same API and are likely vulnerable to attack as well.
Beyond that, the communications were protected by a single, simple session token that was valid for the entire season.
“Once the session token is stolen,” Kuykenbdall says in a video, “anybody can now impersonate this user.”
Using this long-lasting session token, an attacker could log in and out of user accounts and shuffle players around, replacing productive players with unproductive or injured ones in order to gain a competitive advantage.
“Imagine a scenario where the hacker provides WiFi access on draft day and steals everyone’s session tokens,” said Kuykendall. “During the season, he can then change the lineup of his opponents whenever he wants to ensure a win for the week.”
Specifically, there are three broad weaknesses in Yahoo’s application that offered Kuykendall an opportunity to exploit it: the API, of course, failed to use SSL; the session token, which was actually just a static session cookie rather than a more secure private, session-specific token, was valid for the entire season; and requests from the application included full SQL statements that could quite obviously give an attacker a new avenue of attack with SQL injections.
“Mobile web applications store information about the client, like a secret encoder ring, and the server stores all the secret decoder rings,” Kuykendall says, describing session tokens. “If the server recognizes the secret, it knows the request is valid. When using shared secrets, developers must be sure both the client and server know the value, and that once the secret token is given to the client, it is never again transmitted.”