Original URL: https://www.theregister.com/2013/09/06/yahoo_gridiron_game_uncryption/

American Fantasy Football app lets hackers change team rosters

Yahoo! applies SSL to lock down insecure mobile gridiron game

By John Leyden

Posted in Security, 6th September 2013 18:39 GMT

Security researchers have discovery a vulnerability in mobile versions of the Yahoo! Fantasy [American] Football app that created a means for hackers to change team lineups and post imposter comments on message boards.

Yahoo! has plugged the security hole, but users who fail to update their mobile app to the most recent version are at risk of having their lineups manipulated by other league managers or troublemaking hackers, warns NT OBJECTives, the application security testing firm that uncovered the snafu.

NT OBJECTives discovered the fantasy football app to be vulnerable to session hijacking, the process of authenticating genuine users, during a vulnerability-testing exercise. The security hole created a means for pranksters to manipulate other players' lineups, putting injured or poor performing players in the weekly lineup, while benching top-rated players on that individual's team. The issue arose as a result of a catalog of related security shortcomings.

The API used by the Yahoo!'s American Football mobile app failed to use SSL, so even a simple rogue WiFi hotspot could see the traffic between the mobile app and the Yahoo! Fantasy Football API. In addition, session cookies lasted for over a month, meaning once snaffled, hackers could abuse stolen session cookies to make changes in team lineups and more for an extended period, likely covering an entire season of the gridiron game. The app relied on simple session cookies rather than anything signed by a private token to authenticate requests.

Lastly, requests from the mobile web application included full blown SQL statements revealing the tables and columns, opening the door to SQL injection vulnerabilities. "An attacker simply needed to look at the SQL statement, and see that the value to the ‘mbody’ column is an XML document of the full lineup," NT OBJECTives explains. "By simply extracting that XML, the hacker could make any desired changes and then toss it back into the SQL statement and send it on."

"Imagine a scenario where the hacker provides WiFi access on draft day and steals everyone's session tokens. During the season, he can then change the lineup of his opponents whenever he wants to ensure a win for the week," explained Dan Kuykendall, CTO of NT OBJECTives.

"Mobile web applications store information about the client, like a secret encoder ring, and the server stores all the secret decoder rings. If the server recognises the secret, it knows the request is valid," he said. "When using shared secrets, developers must be sure both the client and server know the value, and that once the secret token is given to the client, it is never again transmitted."

The security firm is careful not to overstate the impact of this particular vulnerability, which it says doesn't amount to a major risk. However, similar classes of vulnerabilities (weak or nonexistent session management) in more sensitive mobile applications can cause all sorts of problems. Insecure mobile applications are often developed and delivered too quickly without proper security testing, it warns.

Yahoo! was notified of the vulnerability and the newest version now requires SSL.

A demonstration of how the mobile hack works can be found in a whiteboard-style video featuring NT OBJECTives' Kuykendall. ®