No way, RSA! Security conference's mobile app embarrassingly insecure

Sorry about the hard-coded passwords, can we sell you some crypto now?

RSA history wall, photo: RSA

RSA has copped to a security vulnerability in the backend systems powering the smartphone app for its annual security conference, held this week in San Francisco, USA.

Infosec expert "svbl" discovered and reported a privacy cockup in an API, which could be accessed by anyone with an RSA Conference account, to fetch the names of all other event attendees. Svbl was able to extract more than 100 names from the database using this dodgy software interface, used by the mobile app, to prove it was not properly secured.

The harvested data consisted of attendee names. No other private information was believed to have been exposed. RSA says it has since remedied the issue, and that 114 names were fetched in total via the insecure API.

Svbl told El Reg he didn't try to access the full attendee database, and nobody else is believed to have exploited the vulnerability, so the damage appears thus far to have been minimal.

For most security companies this would be an embarrassing mishap and cause for a careful examination of development practices. For RSA, it's just a trip down memory lane.

Back in 2014 security researcher Gunter Ollmann analyzed an RSA Conference app and found that it was so poorly written it would allow credentials stealing via a man-in-the-middle attack and exposed user's personal information.

The timing was particularly awkward as that year's conference was being partially boycotted after allegations surfaced that a backdoor in one of its cryptographic toolkits was orchestrated by the US government. RSA has maintained that it didn't take the NSA's money to bork its own products. ®

Sponsored: Practical tips for Office 365 tenant-to-tenant migration

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

Michael Dell, photo: Dell

$2.07bn? That's one Dell of a deal to offload infosec biz RSA

Texan tech giant hacks off part of security real estate, sells to consortium
Two miners (cosplay) carrying coal up "mine shaft" -

Coin-mining malware jumps from Arm IoT gear to Intel servers

Exclusive Cryptocurrency crooks look to siphon cycles from enterprise kit
A person wearing a mask next to map of China

Roses are red, IBM is Big Blue. It's out of RSA Conference after coronavirus review: IBMers will not attend infosec event over 'health concerns'

Updated Who will join the IT giant in staying away from San Francisco?
virus

RSA Conference loses one more abbreviated tech giant after AT&T disconnects over novel coronavirus fears

RSA Alternative headline: Killer bio-nasty linked to former alien vault and cyber-hacker gathering
People in face masks

California tech industry gets its first big coronavirus hit: RSA Conference attendee infected, in serious condition

Updated NASA also struck, more conferences cancelled, WISPA is moving ahead
rivest

'I give fusion power a higher chance of succeeding than quantum computing' says the R in the RSA crypto-algorithm

RSA Expert panel sesh turns heated on infosec conference's opening day
panel

Adi Shamir visa snub: US govt slammed after the S in RSA blocked from his own RSA conf

RSA 'If someone like me can't get in to give a keynote, perhaps it's time we rethink where we organize our events'
spy_eye_648

Keen to check for 'abnormal' user behaviours? Microsoft talks insider risk, AWS imports and compliance at infosec shindig RSA

RSA Before you remove the mote from thy hacker's eye, remove the beam from the eyes of your, er, Teams

Biting the hand that feeds IT © 1998–2020