Feeds

American Fantasy Football app lets hackers change team rosters

Yahoo! applies SSL to lock down insecure mobile gridiron game

The Power of One eBook: Top reasons to choose HP BladeSystem

Security researchers have discovery a vulnerability in mobile versions of the Yahoo! Fantasy [American] Football app that created a means for hackers to change team lineups and post imposter comments on message boards.

Yahoo! has plugged the security hole, but users who fail to update their mobile app to the most recent version are at risk of having their lineups manipulated by other league managers or troublemaking hackers, warns NT OBJECTives, the application security testing firm that uncovered the snafu.

NT OBJECTives discovered the fantasy football app to be vulnerable to session hijacking, the process of authenticating genuine users, during a vulnerability-testing exercise. The security hole created a means for pranksters to manipulate other players' lineups, putting injured or poor performing players in the weekly lineup, while benching top-rated players on that individual's team. The issue arose as a result of a catalog of related security shortcomings.

The API used by the Yahoo!'s American Football mobile app failed to use SSL, so even a simple rogue WiFi hotspot could see the traffic between the mobile app and the Yahoo! Fantasy Football API. In addition, session cookies lasted for over a month, meaning once snaffled, hackers could abuse stolen session cookies to make changes in team lineups and more for an extended period, likely covering an entire season of the gridiron game. The app relied on simple session cookies rather than anything signed by a private token to authenticate requests.

Lastly, requests from the mobile web application included full blown SQL statements revealing the tables and columns, opening the door to SQL injection vulnerabilities. "An attacker simply needed to look at the SQL statement, and see that the value to the ‘mbody’ column is an XML document of the full lineup," NT OBJECTives explains. "By simply extracting that XML, the hacker could make any desired changes and then toss it back into the SQL statement and send it on."

"Imagine a scenario where the hacker provides WiFi access on draft day and steals everyone's session tokens. During the season, he can then change the lineup of his opponents whenever he wants to ensure a win for the week," explained Dan Kuykendall, CTO of NT OBJECTives.

"Mobile web applications store information about the client, like a secret encoder ring, and the server stores all the secret decoder rings. If the server recognises the secret, it knows the request is valid," he said. "When using shared secrets, developers must be sure both the client and server know the value, and that once the secret token is given to the client, it is never again transmitted."

The security firm is careful not to overstate the impact of this particular vulnerability, which it says doesn't amount to a major risk. However, similar classes of vulnerabilities (weak or nonexistent session management) in more sensitive mobile applications can cause all sorts of problems. Insecure mobile applications are often developed and delivered too quickly without proper security testing, it warns.

Yahoo! was notified of the vulnerability and the newest version now requires SSL.

A demonstration of how the mobile hack works can be found in a whiteboard-style video featuring NT OBJECTives' Kuykendall. ®

Designing a Defense for Mobile Applications

More from The Register

next story
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.