Businesses typically discourage the use of gambling sites and apps on their employees’ corporate devices due to compliance and productivity risks. But they may not have thought about the security risks. It’s not surprising that a gambling app would use insufficient security measures. In many cases, gambling sites and apps aren’t being actively blocked on devices and so employees are continuing to put their own sensitive data, and that of their company, at the mercy of hackers.

Wandera has discovered a vulnerability in the iOS and Android apps of betFIRST, a leader in sports betting and online gaming in Belgium, that puts personally identifiable information (PII) at risk.

How does it happen?

When a user registers for an account, sensitive information such as username and password is sent unencrypted across the internet. As a result, this information is exposed to any attacker or third-party observer on the network.
Unfortunately, the lack of encryption is not the only violation of security best practices made by betFIRST.
You might’ve come across those annoying prompts to create a password longer than eight characters, using at least one number and one symbol. This is password security best practice and is enforced for good reason.
BetFISRT only requires a password to be at least six characters, far less than that which is recommended by the industry.
Additionally, betFIRST apps transmit an MD5 hash of the password as a protection mechanism during the login process meaning an attacker can hijack a user’s session just by replaying the “login request”.
Finally, the links to the official mobile app stores published on the company’s website are not direct links but URL shorteners, like bitly, that redirect to the stores. So an attacker could easily replace the web links via man-in-the-middle attack that redirects the user to dangerous pages.
BetFirst gambling app

What’s being exposed?

PII that is exposed when a user registers the app and creates an account includes:
● Username
● Password
● E-mail
● First name, Last name
● Date of Birth
● Mailing Address
● City
● Country
● Mobile phone number
PII that is exposed when a user logins via the mobile app:
● Username
● MD5 password hash

What can you do?

Avoid using the apps over public and potentially insecure Wi-Fi hotspots in order to minimize the risk of traffic interception.
Businesses should have an active mobile security service deployed to monitor for data leaks in applications used by staff. A content filtering service is also recommended to limit access to categories of apps and websites, such as gambling.
Read the full Threat Advisory here
[text-blocks id=”3610″]