To be, or not to be hacked? That is the question you should be asking yourself before booking tickets to your next theatre performance in France. In a day and age when booking tickets through a mobile app is commonplace, hackers have yet another way to get their hands on your credit card details.

Researchers at Wandera have identified a vulnerability in the official mobile apps from French ticket booking website, Ticketac, that puts personally identifiable information (PII) at risk.

How does it happen?

The vulnerability impacts both the Android and iOS mobile apps from Ticketac. Encryption isn’t used when the user first created the account or anytime the user logs in using the app thereafter. This results in user credentials being transmitted ‘in the clear’, exposing it to any attacker or third party observer on the network.
Worse still, credit card related details are transmitted over an insecure connection during the booking process, giving a hacker backstage access to your bank account.
While the website does use an encrypted connection and is not susceptible to the aforementioned attacks, it is vulnerable to reflected cross-site scripting attack vector which in effect can be used to hijack a user’s session, if combined with a successful social engineering campaign.

What is Cross Site Scripting?

XSS attacks allow the attacker to compromise a user’s session by using malicious code running at the client-side. For example: if an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker.
Since cookies are used as a session management mechanism, it’s possible for an attacker to create a specific JavaScript code that will send the cookie back to him. As a result the attacker can gain unauthorized access to the user’s personal account and impersonate the user.

What’s being exposed?

The PII (Personally Identifiable Information) exposed during an account registration include:

  • Email
  • Full Name
  • Password

The PII (Personally Identifiable Information) exposed during the login process include:

  • Email
  • Password

The PII (Personally Identifiable Information) exposed during a payment request include:

  • Credit Card Type
  • Credit Card Number
  • Expiration Date
  • CVV Number

What can I do?

Avoid using the apps over public and potentially insecure Wi-Fi hotspots to minimize the risk of traffic interception.
Businesses should have an active mobile security service deployed to block data leaks among any applications that are used by employees. A content filtering service is also recommended to limit access to groups of apps and websites, such as gambling.