On January 31, a few weeks before the start of the world famous event, RSA Conference 2014, the app of the same name was released on Google Play. Experts quickly identified several security issues.
RSA Conference 2014 allows users to keep track of activity, event list, schedule, and connect with colleagues through a social and professional networking tool.
Security researchers from IOActive they decided to take a look at the application to see how safe it is. In a short time, they identified a total of six vulnerabilities.
The most serious of these can be exploited for man-in-the-middle attacks (MitM). An attacker could inject a phishing site to collect delegates' logins.
Gunter Ollmann of IOActive says: “If we were dealing with a banking app, then they would be out of luck, but this particular app has only been downloaded a few thousand times, and I seriously doubt that anyone hacker waste his time on an application that will only give him the credentials of a conference”.
However, there is another security issue quite easy to exploit, and it could be much more profitable to them.
The information της εφαρμογής συγκεντρώνονται σε μια βάση δεδομένων SQLite που μπορει να κατεβεί στο smartphone. Αυτό το αρχείο περιέχει τις πληροφορίες του κάθε χρήστη που έχει εγγραφεί για το RSA Conference 2014, με το ονοματεπώνυμο, την εταιρεία και τον τίτλο.
Although they do not exist passwords or other sensitive information in this file, hackers could potentially use this information in many ways.
The app should be said not developed by RSA. It was created by QuickMobile, a company that has developed similar ones applications for several large companies, such as McDonalds, Adobe, Kaspersky, Red Hat, and many others.
However, even if RSA had not developed the application, it had to check its security and integrity.