Feeds

American Fantasy Football app lets hackers change team rosters

Yahoo! applies SSL to lock down insecure mobile gridiron game

Choosing a cloud hosting partner with confidence

Security researchers have discovery a vulnerability in mobile versions of the Yahoo! Fantasy [American] Football app that created a means for hackers to change team lineups and post imposter comments on message boards.

Yahoo! has plugged the security hole, but users who fail to update their mobile app to the most recent version are at risk of having their lineups manipulated by other league managers or troublemaking hackers, warns NT OBJECTives, the application security testing firm that uncovered the snafu.

NT OBJECTives discovered the fantasy football app to be vulnerable to session hijacking, the process of authenticating genuine users, during a vulnerability-testing exercise. The security hole created a means for pranksters to manipulate other players' lineups, putting injured or poor performing players in the weekly lineup, while benching top-rated players on that individual's team. The issue arose as a result of a catalog of related security shortcomings.

The API used by the Yahoo!'s American Football mobile app failed to use SSL, so even a simple rogue WiFi hotspot could see the traffic between the mobile app and the Yahoo! Fantasy Football API. In addition, session cookies lasted for over a month, meaning once snaffled, hackers could abuse stolen session cookies to make changes in team lineups and more for an extended period, likely covering an entire season of the gridiron game. The app relied on simple session cookies rather than anything signed by a private token to authenticate requests.

Lastly, requests from the mobile web application included full blown SQL statements revealing the tables and columns, opening the door to SQL injection vulnerabilities. "An attacker simply needed to look at the SQL statement, and see that the value to the ‘mbody’ column is an XML document of the full lineup," NT OBJECTives explains. "By simply extracting that XML, the hacker could make any desired changes and then toss it back into the SQL statement and send it on."

"Imagine a scenario where the hacker provides WiFi access on draft day and steals everyone's session tokens. During the season, he can then change the lineup of his opponents whenever he wants to ensure a win for the week," explained Dan Kuykendall, CTO of NT OBJECTives.

"Mobile web applications store information about the client, like a secret encoder ring, and the server stores all the secret decoder rings. If the server recognises the secret, it knows the request is valid," he said. "When using shared secrets, developers must be sure both the client and server know the value, and that once the secret token is given to the client, it is never again transmitted."

The security firm is careful not to overstate the impact of this particular vulnerability, which it says doesn't amount to a major risk. However, similar classes of vulnerabilities (weak or nonexistent session management) in more sensitive mobile applications can cause all sorts of problems. Insecure mobile applications are often developed and delivered too quickly without proper security testing, it warns.

Yahoo! was notified of the vulnerability and the newest version now requires SSL.

A demonstration of how the mobile hack works can be found in a whiteboard-style video featuring NT OBJECTives' Kuykendall. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.