The show "TORUK" of the famous Cirque du Soleil used one for advertising reasons application, που καθιστούσε τα κινητά των χρηστών ευάλωτα. Η εφαρμογή, που ονομαζόταν “TORUK – The First Flight”, was designed to allow iOS and Android users to participate in the performance through synchronized audio-visual effects generated on their mobiles.
"It seems that the security factor was not taken into account when designing the TORUK application. As a result, anyone connected to the network during the show had the same management capabilities as the Cirque du Soleil administrators, ”explains ESET researcher Lukáš ftefanko, who analyzed the application.
The "TORUK - The First Flight" application has over 100.000 downloads on Google Play, while there is also an iOS version.
With the completion of the "TORUK" performances, the application ceased to be available and the people in charge of Cirque du Soleil stated that they will withdraw it from the official app stores for Android and Apple devices.
When this app is used, it opens a local port to enable remote volume settings, detect nearby Bluetooth devices (if Bluetooth is enabled), appearance animation, setting the “Like” button for Facebook as well as participating in shared preferences accessible in the application.
"The problem is that the application does not have an authentication protocol. An expert can scan the network, collect the IP addresses of the devices when the specific port is open (port 6161) and send commands to all devices that use the application ", Štefanko explains.
According to Štefanko, it would be very simple to shield the enforcement against this kind of attack.
If the application created a unique token for each device, it would be impossible for anyone to access all devices massively without authentication testing
After the show, all devices that have this app installed are still vulnerable, so users are at risk of experiencing unpleasant surprises at any time in the future if they are connected to a public network.
"Users who have installed this application must uninstall it immediately. By the way, we recommend that they do this with all applications designed for a specific use ", Štefanko concludes.
More information can be found on this blogpost by Lukáš ftefanko “A great show is now history, as is its insecure mobile app” on ESET Android App Watch.
___________________
- WiFi view the stored codes in Windows
- Pocket Drones for soldiers are being tested in Afghanistan
- Kodachi Linux 6.1 anti forensic anonymous operating
