Just days before this year’s Big Game between the New England Patriots and Seattle Seahawks, the security team at Wandera discovered a serious security hole in the popular Official NFL app. The vulnerability was leaving highly valuable personal information exposed to hackers. The risk was particularly high at a time when NFL fans around the world were likely to be accessing the app ahead of the biggest game in the season.
Wandera’s scanning technologies discovered that after the user securely signed into the app with their NFL.com account, the app leaked their username and password in a secondary, insecure (unencrypted) API call. The app also leaked the user’s username and email address in an unencrypted cookie immediately following login and on subsequent calls by the app to nfl.com domains.
With these credentials, an attacker could’ve accessed the user’s full NFL profile. This profile page was unencrypted as well, so the registered personal data (including email, postal address, phone number, occupation and date of birth) was also vulnerable to man-in-the-middle intercept.
A very high percentage of Official NFL app users reuse passwords across multiple accounts, so the email/password combination for NFL Mobile may have been the same as those used to access sensitive corporate data, banking sites, or other high-value targets. Moreover, date-of-birth, name, address and phone number were the exact building blocks required to initiate a successful identity theft from the NFL fans.