Feeds

American Fantasy Football app lets hackers change team rosters

Yahoo! applies SSL to lock down insecure mobile gridiron game

SANS - Survey on application security programs

Security researchers have discovery a vulnerability in mobile versions of the Yahoo! Fantasy [American] Football app that created a means for hackers to change team lineups and post imposter comments on message boards.

Yahoo! has plugged the security hole, but users who fail to update their mobile app to the most recent version are at risk of having their lineups manipulated by other league managers or troublemaking hackers, warns NT OBJECTives, the application security testing firm that uncovered the snafu.

NT OBJECTives discovered the fantasy football app to be vulnerable to session hijacking, the process of authenticating genuine users, during a vulnerability-testing exercise. The security hole created a means for pranksters to manipulate other players' lineups, putting injured or poor performing players in the weekly lineup, while benching top-rated players on that individual's team. The issue arose as a result of a catalog of related security shortcomings.

The API used by the Yahoo!'s American Football mobile app failed to use SSL, so even a simple rogue WiFi hotspot could see the traffic between the mobile app and the Yahoo! Fantasy Football API. In addition, session cookies lasted for over a month, meaning once snaffled, hackers could abuse stolen session cookies to make changes in team lineups and more for an extended period, likely covering an entire season of the gridiron game. The app relied on simple session cookies rather than anything signed by a private token to authenticate requests.

Lastly, requests from the mobile web application included full blown SQL statements revealing the tables and columns, opening the door to SQL injection vulnerabilities. "An attacker simply needed to look at the SQL statement, and see that the value to the ‘mbody’ column is an XML document of the full lineup," NT OBJECTives explains. "By simply extracting that XML, the hacker could make any desired changes and then toss it back into the SQL statement and send it on."

"Imagine a scenario where the hacker provides WiFi access on draft day and steals everyone's session tokens. During the season, he can then change the lineup of his opponents whenever he wants to ensure a win for the week," explained Dan Kuykendall, CTO of NT OBJECTives.

"Mobile web applications store information about the client, like a secret encoder ring, and the server stores all the secret decoder rings. If the server recognises the secret, it knows the request is valid," he said. "When using shared secrets, developers must be sure both the client and server know the value, and that once the secret token is given to the client, it is never again transmitted."

The security firm is careful not to overstate the impact of this particular vulnerability, which it says doesn't amount to a major risk. However, similar classes of vulnerabilities (weak or nonexistent session management) in more sensitive mobile applications can cause all sorts of problems. Insecure mobile applications are often developed and delivered too quickly without proper security testing, it warns.

Yahoo! was notified of the vulnerability and the newest version now requires SSL.

A demonstration of how the mobile hack works can be found in a whiteboard-style video featuring NT OBJECTives' Kuykendall. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.