The world’s top companies use wandera Learn Why Try Wandera for Free

CBS Sports Data Leak Discovered During NCAA Tournament

CBS Sports Data Leak Discovered During NCAA Tournament

1600 808 Liarna La Porta

Our Threat Ops Team recently identified that both the Android and iOS versions of the CBS Sports app transfer PII (Personally Identifiable Information) including passwords, zip codes and birth dates over an insecure connection. Furthermore the security of the login/signup process of the mobile CBS Sports website is also open to interception – both the sign up process and the login process are insecure.

Since mobile users are vulnerable to man-in-the-middle attacks we believe that this potential data exposure is very sensitive with a high impact surface area, especially during popular sports events where app and website usage is boosted significantly – e.g. the on-going NCAA tournament.

Security Implications

Like other rational agents cyber criminals tend to select their targets based on likelihood of success. Highly popular events like the NCAA Basketball tournament in combination with a popular but vulnerable app or website represents an attractive target.

The CBS Sports app is among the most popular sources of sports news, with a dedicated section reporting the NCAA tournament, and millions of downloads. The app users have the option to create an account with the CBS Sports app and use it across the mobile and desktop websites. Our researchers have identified that a significant amount of personal data is collected during the account registration process, and all these details are sent in clear text over an unencrypted connection to the app’s backend servers. The PII exposed is listed as follows:

  • First name and surname
  • Email address
  • Account password in clear text
  • Date of birth
  • Zip code

The CBS Sports mobile website provides similar functionality to the app but during the login process, the mobile website fails to encrypt the data and the user’s email/user ID and password are transmitted in clear text. There is a further less severe data leak identified as part of the unprotected “Forgot User ID or password” functionality, which exposes only the user’s email address.

Remediation and Prevention

Recommendation: The mobile website/app should only be used when connected to a trusted secure access point.

Recommendation: Users should have an active mobile security service deployed to block data leaks.

Read our CBS Sports Threat Advisory to learn more.

Liarna La Porta

Liarna La Porta

Liarna La Porta leads content marketing at Wandera. As Editor of Wandera’s blog, Liarna keeps the content ticking that makes Wandera a reliable news source for mobile security professionals. Her passion for helping tech start ups in all aspects of marketing and PR is reflected in the expert industry coverage she provides.An Australian adventurist at heart, Liarna has been in the Marketing and PR industry for over six years working from Melbourne, Sydney, London and San Francisco, soaking up the expertise required for her global role at Wandera.

All stories by:Liarna La Porta
Liarna La Porta

Liarna La Porta

Liarna La Porta leads content marketing at Wandera. As Editor of Wandera’s blog, Liarna keeps the content ticking that makes Wandera a reliable news source for mobile security professionals. Her passion for helping tech start ups in all aspects of marketing and PR is reflected in the expert industry coverage she provides.An Australian adventurist at heart, Liarna has been in the Marketing and PR industry for over six years working from Melbourne, Sydney, London and San Francisco, soaking up the expertise required for her global role at Wandera.

All stories by:Liarna La Porta