The world’s top companies use wandera Learn Why Try Wandera for Free

This app gives hackers free tickets to your bank account

This app gives hackers free tickets to your bank account

1536 1025 Liarna La Porta

To be, or not to be hacked? That is the question you should be asking yourself before booking tickets to your next theatre performance in France. In a day and age when booking tickets through a mobile app is commonplace, hackers have yet another way to get their hands on your credit card details.

Researchers at Wandera have identified a vulnerability in the official mobile apps from French ticket booking website, Ticketac, that puts personally identifiable information (PII) at risk.

Download the Ticketac Threat Advisory

logo-font-blanc

How does it happen?

The vulnerability impacts both the Android and iOS mobile apps from Ticketac. Encryption isn’t used when the user first created the account or anytime the user logs in using the app thereafter. This results in user credentials being transmitted ‘in the clear’, exposing it to any attacker or third party observer on the network.

Worse still, credit card related details are transmitted over an insecure connection during the booking process, giving a hacker backstage access to your bank account.

While the website does use an encrypted connection and is not susceptible to the aforementioned attacks, it is vulnerable to reflected cross-site scripting attack vector which in effect can be used to hijack a user’s session, if combined with a successful social engineering campaign.

What is Cross Site Scripting?

XSS attacks allow the attacker to compromise a user’s session by using malicious code running at the client-side. For example: if an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker.

Since cookies are used as a session management mechanism, it’s possible for an attacker to create a specific JavaScript code that will send the cookie back to him. As a result the attacker can gain unauthorized access to the user’s personal account and impersonate the user.

hackers-cyber-crime-anonymous

What’s being exposed?

The PII (Personally Identifiable Information) exposed during an account registration include:

  • Email
  • Full Name
  • Password

The PII (Personally Identifiable Information) exposed during the login process include:

  • Email
  • Password

The PII (Personally Identifiable Information) exposed during a payment request include:

  • Credit Card Type
  • Credit Card Number
  • Expiration Date
  • CVV Number

What can I do?

Avoid using the apps over public and potentially insecure Wi-Fi hotspots to minimize the risk of traffic interception.

Businesses should have an active mobile security service deployed to block data leaks among any applications that are used by employees. A content filtering service is also recommended to limit access to groups of apps and websites, such as gambling.

The latest mobile threats that you should know about

Our Threat Advisories present useful information on new mobile threats, their implications and practical steps for remediation and prevention, enabling you to swiftly address each new threat before it impacts your business.

Learn MORE

Liarna La Porta

Liarna La Porta

Liarna La Porta leads content marketing at Wandera. As Editor of Wandera’s blog, Liarna keeps the content ticking that makes Wandera a reliable news source for mobile security professionals. Her passion for helping tech start ups in all aspects of marketing and PR is reflected in the expert industry coverage she provides.An Australian adventurist at heart, Liarna has been in the Marketing and PR industry for over six years working from Melbourne, Sydney, London and San Francisco, soaking up the expertise required for her global role at Wandera.

All stories by:Liarna La Porta
Liarna La Porta

Liarna La Porta

Liarna La Porta leads content marketing at Wandera. As Editor of Wandera’s blog, Liarna keeps the content ticking that makes Wandera a reliable news source for mobile security professionals. Her passion for helping tech start ups in all aspects of marketing and PR is reflected in the expert industry coverage she provides.An Australian adventurist at heart, Liarna has been in the Marketing and PR industry for over six years working from Melbourne, Sydney, London and San Francisco, soaking up the expertise required for her global role at Wandera.

All stories by:Liarna La Porta