The world’s top companies use wandera Learn Why Try Wandera for Free

This gambling app is putting more than just your money at stake

This gambling app is putting more than just your money at stake

1598 766 Liarna La Porta

Businesses typically discourage the use of gambling sites and apps on their employees’ corporate devices due to compliance and productivity risks. But they may not have thought about the security risks. It’s not surprising that a gambling app would use insufficient security measures. In many cases, gambling sites and apps aren’t being actively blocked on devices and so employees are continuing to put their own sensitive data, and that of their company, at the mercy of hackers.

Wandera has discovered a vulnerability in the iOS and Android apps of betFIRST, a leader in sports betting and online gaming in Belgium, that puts personally identifiable information (PII) at risk.

How does it happen?

When a user registers for an account, sensitive information such as username and password is sent unencrypted across the internet. As a result, this information is exposed to any attacker or third-party observer on the network.

Unfortunately, the lack of encryption is not the only violation of security best practices made by betFIRST.

You might’ve come across those annoying prompts to create a password longer than eight characters, using at least one number and one symbol. This is password security best practice and is enforced for good reason.

BetFISRT only requires a password to be at least six characters, far less than that which is recommended by the industry.

Additionally, betFIRST apps transmit an MD5 hash of the password as a protection mechanism during the login process meaning an attacker can hijack a user’s session just by replaying the “login request”.

Finally, the links to the official mobile app stores published on the company’s website are not direct links but URL shorteners, like bitly, that redirect to the stores. So an attacker could easily replace the web links via man-in-the-middle attack that redirects the user to dangerous pages.

BetFirst gambling app

What’s being exposed?

PII that is exposed when a user registers the app and creates an account includes:

● Username
● Password
● E-mail
● First name, Last name
● Date of Birth
● Mailing Address
● City
● Country
● Mobile phone number

PII that is exposed when a user logins via the mobile app:

● Username
● MD5 password hash

What can you do?

Avoid using the apps over public and potentially insecure Wi-Fi hotspots in order to minimize the risk of traffic interception.

Businesses should have an active mobile security service deployed to monitor for data leaks in applications used by staff. A content filtering service is also recommended to limit access to categories of apps and websites, such as gambling.

Read the full Threat Advisory here

Learn more about threat prevention

You might hear about the dangerous leaks and mobile attacks that make the news. But your organization might just be vulnerable to other threats right now.

FIND OUT MORE

Liarna La Porta

Liarna La Porta

Liarna La Porta leads content marketing at Wandera. As Editor of Wandera’s blog, Liarna keeps the content ticking that makes Wandera a reliable news source for mobile security professionals. Her passion for helping tech start ups in all aspects of marketing and PR is reflected in the expert industry coverage she provides.An Australian adventurist at heart, Liarna has been in the Marketing and PR industry for over six years working from Melbourne, Sydney, London and San Francisco, soaking up the expertise required for her global role at Wandera.

All stories by:Liarna La Porta
Liarna La Porta

Liarna La Porta

Liarna La Porta leads content marketing at Wandera. As Editor of Wandera’s blog, Liarna keeps the content ticking that makes Wandera a reliable news source for mobile security professionals. Her passion for helping tech start ups in all aspects of marketing and PR is reflected in the expert industry coverage she provides.An Australian adventurist at heart, Liarna has been in the Marketing and PR industry for over six years working from Melbourne, Sydney, London and San Francisco, soaking up the expertise required for her global role at Wandera.

All stories by:Liarna La Porta