Black Hat 2016

Black Hat security conference trims insecure features from its mobile app

Flaws could have let attackers spoof the identity of attendees, spy on their messages

blackhat mobile app

Black Hat mobile app screen grab.

Credit: Black Hat

Black Hat has disabled features of its mobile application because attackers could have logged in as legitimate attendees, posted messages in their names and spied on the messages they sent.

The problem was discovered by mobile security vendor Lookout who detail the problem in a blog that says the method of registration and password resets were flawed.

“[W]e've removed user-to-user messaging functionality and activity feed updates out of an abundance of caution,” a spokesperson for the conference organizer UBM said in an email.

[ ALSO ON CSO: Black Hat: 9 free security tools for defense & attacking ]

The problems stemmed from the fact that new accounts were created without email verification, and that even when users reset their passwords, authentication tokens weren’t revoked. So attackers logged in already could stay logged in.

Lookout says the problems it found several possible threats. Attackers could pretend to be someone else while making posts to the conference activity feed and when they used in-app messaging.

Spying on someone else’s account that the flaws enabled could reveal where victims would be at given times, creating a physical security risk. Spying would be persistent because of the authentication token problem.

Users who have already downloaded the app don’t have to update it; that will be done via push by the conference.

This story, "Black Hat security conference trims insecure features from its mobile app " was originally published by Network World.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Related:
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.