When a conference dedicated to cybersecurity ends up leaking attendee information via its mobile app… Okay, cybersecurity is no joke but at least when you are trying to be the leader of the game and gathering who you think are the most important people in the industry, try not to expose their details?
The 2018 RSA Conference that managed to attract quite a few controversies even before it started has ended with another one. The conference apparently leaked personal information of its attendees through the official 2018 RSA Conference Mobile app.
Related [Update] Another MASSIVE Data Leak: “Life in 123 Million American Households Exposed Online”
If you attended #RSAC2018 and see your first name there – sorry! ? pic.twitter.com/YrgZo6jHDu
— svbl (@svblxyz) April 20, 2018
The security researcher, who goes by svbl on Twitter, discovered a flaw in the 2018 RSA Conference app that exposed a database of information revealing data on conference attendees. Thanks to an unsecured API, the database could have been accessed via credentials hard-coded into the app. The security researcher also shared the steps he took to access the information.
For those who want to reproduce (1/3):
– Create account @ https://t.co/kATJX5kn0P
– Login to the App
– Extract the Sync_Token from /data/data/com.rsa.rsaconference/shared_prefs/prefs.rsa2018.xml
– Open https://t.co/ZuM7psDmVUSync_Token— svbl (@svblxyz) April 20, 2018
Related Popular Keyboard App with Tens of Millions of Downloads Leaks Data of Its 31 Million Users
The Conference organizers have now acknowledged this breach, confirming that 114 first and last names of app users were “improperly accessed.” They worked with the mobile event platform Eventbase to fix the flaw before others could access this and more personal data.
“No other personal information was accessed, and we have every indication that the incident has been contained,” the RSAConference tweeted. “We continue to take the matter seriously and monitor the situation.”
It now appears that this wasn’t the only problem with the app since it demanded a little too many permissions.
yeah, you install that app.
you give it access to everything.
if i hear you whine that your shit got stolen i will actually black bag you and make you eat your phone. pic.twitter.com/DlHKwYoDiS— D̒͂̕ᵈăᵃn̕ᶰ Ť̾̾̓͐͒͠ᵗe͗̑́̋̂́͡ᵉn̅ᶰtᵗl̀̓͘ᶫe̓̒̂̚ᵉrʳ (@Viss) April 19, 2018
While the community is praising conference organizers for a quick fix, it is ironic, to say the least, that it all depended on a security researcher to decide to inform the organizers responsibly instead of trying to poke in further for more data.
