UEFA's Euro 2016 app is airing football fans’ privates in public

Offside! Lack of encryption bares usernames, passwords and more

The official UEFA Euro 2016 app is leaking football fans’ personal data, security researchers warn.

The app is transmitting user credentials - including usernames, passwords, addresses and phone numbers - over an insecure internet connection, mobile security outfit Wandera discovered.

The lack of encryption in the app, which has clocked up more than 100,000 downloads, offers a possible conduit for data leaks. Wandera warns that both the  iOS and Android versions of the app are vulnerable.

El Reg relayed the warning to UEFA’s press team with a request for comment. No word as yet but we’ll update this story as and when we hear more.

Wandera’s SmartWire Labs said it has witnessed and upsurge in enterprise smartphones accessing malicious websites – most likely linked to an increasing number of mobile ads - since the tournament started.

“Increased data usage during the beginning of Euro 2016 will come as no surprise to anyone,” said Eldar Tuvey, chief exec of Wandera. “What is clear however, is that football fans are travelling across Europe [and] accessing apps and websites that are unfamiliar to them [on order] to access the up-to-date information they crave. Our analysis proves that even so-called ‘trusted sources’ carry risk and vulnerability – something that enterprises must be equipped to deal with.”

More analysis of Euro 2016’s impact on mobile security and usage can be found here (pdf). ®

Update

UEFA has been in touch to acknowledge the problem, which its developers have now fixed.

"It is correct that there is an issue with the fan app, concerning a third party component in the myfanzone section, where the contact details of around 4,000 users (name, email and phone number) were not fully protected," it said on Saturday morning.

By Monday morning the problem was fixed.

"All security vulnerabilities have been solved," A Uefa spokesman explained. "Data exchange between the mobile App and the server are now encrypted."


Biting the hand that feeds IT © 1998–2017