http://www.theregister.co.uk/2013/09/06/yahoo_gridiron_game_uncryption/
By John Leyden
The Register
6th September 2013
Security researchers have discovery a vulnerability in mobile versions of
the Yahoo! Fantasy [American] Football app that created a means for
hackers to change team lineups and post imposter comments on message
boards.
Yahoo! has plugged the security hole, but users who fail to update their
mobile app to the most recent version are at risk of having their lineups
manipulated by other league managers or troublemaking hackers, warns NT
OBJECTives, the application security testing firm that uncovered the
snafu.
NT OBJECTives discovered the fantasy football app to be vulnerable to
session hijacking, the process of authenticating genuine users, during a
vulnerability-testing exercise. The security hole created a means for
pranksters to manipulate other players' lineups, putting injured or poor
performing players in the weekly lineup, while benching top-rated players
on that individual's team. The issue arose as a result of a catalog of
related security shortcomings.
The API used by the Yahoo!'s American Football mobile app failed to use
SSL, so even a simple rogue WiFi hotspot could see the traffic between the
mobile app and the Yahoo! Fantasy Football API. In addition, session
cookies lasted for over a month, meaning once snaffled, hackers could
abuse stolen session cookies to make changes in team lineups and more for
an extended period, likely covering an entire season of the gridiron game.
The app relied on simple session cookies rather than anything signed by a
private token to authenticate requests.
[...]
--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
