This article is more than 1 year old
No way, RSA! Security conference's mobile app embarrassingly insecure
Sorry about the hard-coded passwords, can we sell you some crypto now?
RSA has copped to a security vulnerability in the backend systems powering the smartphone app for its annual security conference, held this week in San Francisco, USA.
Infosec expert "svbl" discovered and reported a privacy cockup in an API, which could be accessed by anyone with an RSA Conference account, to fetch the names of all other event attendees. Svbl was able to extract more than 100 names from the database using this dodgy software interface, used by the mobile app, to prove it was not properly secured.
If you attended #RSAC2018 and see your first name there - sorry! 😳 pic.twitter.com/YrgZo6jHDu
— svbl (@svblxyz) April 20, 2018
The harvested data consisted of attendee names. No other private information was believed to have been exposed. RSA says it has since remedied the issue, and that 114 names were fetched in total via the insecure API.
— RSA Conference (@RSAConference) April 20, 2018
Svbl told El Reg he didn't try to access the full attendee database, and nobody else is believed to have exploited the vulnerability, so the damage appears thus far to have been minimal.
For most security companies this would be an embarrassing mishap and cause for a careful examination of development practices. For RSA, it's just a trip down memory lane.
Back in 2014 security researcher Gunter Ollmann analyzed an RSA Conference app and found that it was so poorly written it would allow credentials stealing via a man-in-the-middle attack and exposed user's personal information.
The timing was particularly awkward as that year's conference was being partially boycotted after allegations surfaced that a backdoor in one of its cryptographic toolkits was orchestrated by the US government. RSA has maintained that it didn't take the NSA's money to bork its own products. ®