On 31 January, a few weeks before the start of the world-renowned event, RSA Conference 2014, the homonymous application was released on Google Play. Experts quickly identified several security issues.
RSA Conference 2014 allows users to keep track of activity, event list, schedule, and connect with colleagues through a social and professional networking tool.
Security researchers from IOActive they decided to take a look at the application to see how safe it is. In a short time, they identified a total of six vulnerabilities.
The most serious of these can be exploited for man-in-the-middle attacks (MitM). An attacker could inject a phishing site to collect delegates' logins.
IOActive's Gunter Ollmann says: "If we were dealing with a banking app, then we would have no luck, but this particular app has only been downloaded a few thousand times, and I have serious doubts about whether a hacker loses his time for an application that will only give him the credentials of a conference ”.
However, there is another security issue quite easy to exploit, and it could be much more profitable to them.
Application information is compiled into a SQLite database that can be downloaded to your smartphone. This file contains the information of each user registered for the RSA Conference 2014, with the name, company and title.
While there are no passwords or other sensitive data in this file, hackers could probably use this information in many ways.
The application should be said to have not been developed by RSA. Created by QuickMobile, a company that has developed similar applications for several major companies such as McDonalds, Adobe, Kaspersky, Red Hat, and many others.
However, even if RSA had not developed the application, it had to check its security and integrity.