Our Threat Ops Team recently identified that both the Android and iOS versions of the CBS Sports app transfer PII (Personally Identifiable Information) including passwords, zip codes and birth dates over an insecure connection. Furthermore the security of the login/signup process of the mobile CBS Sports website is also open to interception – both the sign up process and the login process are insecure.
Since mobile users are vulnerable to man-in-the-middle attacks we believe that this potential data exposure is very sensitive with a high impact surface area, especially during popular sports events where app and website usage is boosted significantly – e.g. the on-going NCAA tournament.
Like other rational agents cyber criminals tend to select their targets based on likelihood of success. Highly popular events like the NCAA Basketball tournament in combination with a popular but vulnerable app or website represents an attractive target.
The CBS Sports app is among the most popular sources of sports news, with a dedicated section reporting the NCAA tournament, and millions of downloads. The app users have the option to create an account with the CBS Sports app and use it across the mobile and desktop websites. Our researchers have identified that a significant amount of personal data is collected during the account registration process, and all these details are sent in clear text over an unencrypted connection to the app’s backend servers. The PII exposed is listed as follows:
- First name and surname
- Email address
- Account password in clear text
- Date of birth
- Zip code
The CBS Sports mobile website provides similar functionality to the app but during the login process, the mobile website fails to encrypt the data and the user’s email/user ID and password are transmitted in clear text. There is a further less severe data leak identified as part of the unprotected “Forgot User ID or password” functionality, which exposes only the user’s email address.
Remediation and Prevention
Recommendation: The mobile website/app should only be used when connected to a trusted secure access point.
Recommendation: Users should have an active mobile security service deployed to block data leaks.