With Superbowl Sunday approaching, interest in the ritualized combat that is American football is peaking for the year – but fans of the action may be letting hackers slurp their personal details.
An analysis of the National Football League phone app by mobile internet biz Wandera has shown that whoever wrote the software didn't care much for privacy nor security. When users sign into the app, it puts the username and password out over the internet in an unencrypted API call, and stashes them in a separate unencrypted cookie on the handheld.
An attacker able to intercept this information can use it to access the victim's personal account on the NFL.com website, which is also served over the 'net unencrypted. This will reveal the user's name, email, physical address, date of birth, phone number, occupation, and submitted social networking accounts.
"It is ironic that just like a quarterback being vulnerable to an interception, the NFL app is vulnerable to a man-in-the-middle attack that puts users' data at risk of interception by hackers," said Eldar Tuvey, CEO of Wandera.
"23 percent of our US customers have at least one employee using the app, and we expect this to increase significantly as the big game approaches."
While the NFL Mobile software can collect credit card numbers, the Wandera researchers didn't try to access that data for fear of falling foul of the law. Other software produced by the football body, including NFL Now and NFL Fantasy Football, may also be vulnerable, but even the data leaked by the Mobile app is irritating enough.
"A very high percentage of users reuse passwords across multiple accounts, so the email/password combination for NFL Mobile may also be the same as those used to access sensitive corporate data, banking sites, or other high value targets," Turvey said.
"Moreover, date-of-birth, name, address and phone number are the exact building blocks required to initiate a successful identity theft from the NFL fans."
A spokesman for the NFL told El Reg: "We’ve looked into this vulnerability and it’s been addressed. We continuously monitor and evaluate our systems for any security issues and remediate them as quickly as possible." ®