ESPN's ScoreCenter for iOS sends passwords in clear-text, susceptible to XSS flaw

Summary:Which mobile application do you use to check the scores of your favorite games? If that's ESPN's ScoreCenter for iOS, then you have a problem, and it's called a "false feeling of security".

Which mobile application do you use to check the scores of your favorite games? If that's ESPN's ScoreCenter for iOS, then you have a problem, and it's called a "false feeling of security".

According to Zscaler, the application is not only transmitting the accounting data in plain-text, but is also susceptible to a XSS flaw, allowing the potential injection of active content.

A logical question emerges - what would an attacker do with your ESPN member account in case its gets compromised by a malicious party that's sniffing for passwords across insecure networks, and is the scenario I'm about to discuss feasible enough for a real world fraudulent operation?

Once compromised, an ESPN account offers a potential attacker access to your birth date, as well as complete access to your groups and friends' lists, allowing the attacker to attempt launching fraudulent campaigns on your behalf, such as, disseminating links to client-side exploits and malware serving sites, campaigns directly impersonating ESPN, or "need cash now" type of scams.

In reality though, in 2013 these very same cybercriminals rely on much more efficient techniques for getting access to a prospective victim's PCs, and their accounting data, meaning that despite the fact that the application is lacking SSL support, unless you use the same email and password across multiple Web sites or have a vast social networking circle inside the portal, there's little to worry about except the "false feeling of security" provided to you by ESPN.

The lack of SSL support for mobile application is not a mobile OS specific problem. Instead, it's mobile OS independent one. In 2012, researchers from the Leibniz University of Hanover and the Philipp University of Marburg analyzed 13,500 Android applications, and found out that, 1,074 of them were susceptible to man-in-the-middle (MITM) attacks.

What can users do to protect against the "false feeling of security" offered to them by all of these mobile application developers?

Tunneling your traffic through a VPN, both, on your PC and your mobile when you're interacting with the Internet over a WiFi network, doesn't matter if it's secured or public one, is highly advisable. If your employer isn't providing you with one, consider finding a commercial alternative. Although the solution to this ongoing trend would be the successful SSL implementation within these application, the use of VPN mitigates a certain percentage of risk when using WiFi networks.

Find out more about Dancho Danchev at his LinkedIn profile.

Topics: Security


Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.