This article is more than 1 year old
Deus ex hackina: It took just 10 minutes to find data-divulging demons corrupting Pope's Click to Pray eRosary app
Vatican coders exorcise API gremlins but, we must confess, they missed one little monster....
Exclusive The technology behind the Catholic Church’s latest innovation, an electronic rosary, is so insecure, it can be trivially hacked to siphon off worshipers' personal information.
The eRosary, which went on sale this week at just $109 (£85) a pop, consists of ten metallic beads, and a metal cross that’s Bluetooth enabled, has wireless charging, and is motion sensitive.
When the wearer makes the sign of the cross with the rosary, the accompanying Click to Pray app on their paired phone or tablet activates: this software suggests which rosary movements to make, and which prayers to mumble. It can also be configured to remind believers that it's time for a chat with God.
However, infosec bods at UK-based Fidus Information Security quickly uncovered flaws in the backend systems used by the Click to Pray app, which is available for iOS and Android. The security vulnerabilities are more embarrassing than life-threatening.
'Bodged'
“One of our researchers decided to check out the code, and in just 10 minutes found some glaring issues,” Andrew Mabbitt, founder of Fidus, told The Register on Friday. “It looks like someone’s taken a fitness band app and bodged it together with existing code that leaves any user account hackable.”
The Fidus egghead who found the flaw, Chris, explained there were two key issues. Firstly, when you install the Click to Pray app, you're asked to create an online account. This profile is protected by a four-digit PIN. Yes, just four digits to log into your profile from the Click to Pray app. This is trivial to brute-force because you are given unlimited retries, and there is no mechanism to slow the process.
Secondly, the application talks to its backend systems via API calls: sendPIN and resetPIN. Due to a vulnerability in the code, it was possible to send over a user's email address via this API and retrieve the corresponding account PIN in a readable format. That meant if someone submitted a stranger's email address, they could gain access to the corresponding Click to Pray profile, if one existed.
Fidus revealed more information here, on its website, on Friday.
Boss of venerable sect with millions of devoted followers meets boss of venerable sect with... yeah, you get the idea
READ MOREThe Register set up a dummy account on the app, using the name Satan, and, sure enough, it was hijacked within minutes by the Fidus team. While accounts do not store anything too sensitive, such as financial information, they do contain personally identifying data – such as folks' names and physical descriptions. In countries like China, where Catholics aren’t too popular, this sort of data could be damaging if exposed.
Father Frederic Fornos, the International Director Pope's Worldwide Prayer Network, told The Register that as soon as he was alerted to the security weaknesses by Fidus on Thursday, he put Vatican coders on the job to fix it, and pledged to, miracles upon miracles, have the holes patched over within 24 hours.
And according to Fidus, the developers have already shored up the software, kind of. “They have fixed the [API] issue, but in a really convoluted way,” Mabbitt told us.
“Now when the API call is made, you can’t extract the four-digit PIN [from the data sent back]. But there is still no protection against brute forcing the PIN, so that’s definitely still an option.”
A Vatican spokesperson told The Register the API shortcomings were also spotted by a security researcher going by the pseudonym Elliot Alderson, who, like Fidus, privately reported the bugs but also sent the Vatican code to fix the issue. You can read Alderson's full report here [PDF].
The eRosary has only just been announced, so just a few thousand people are using the thing, judging from the Android store stats. Until the app is completely fixed, those who feel the need for electronic prayer monitoring should hold off and stick to the more traditional ways of practicing their faith. ®
Updated to add
A Vatican spokesperson has confirmed that the brute forcing issue has now been solved.