A Cirque du Soleil mobile application developed for the Toruk show opened up every user's device to exploit by allowing commands to be sent to every user in the crowd.
On Monday, cybersecurity researchers from ESET said the "Toruk - The First Flight" application, designed to boost crowd interaction through audiovisual effects, was not designed with security in mind.
Upon examination, ESET researcher Lukáš Štefanko found that "anyone who was connected to the network during the show had the same admin possibilities as the Cirque du Soleil operators."
The app has no authentication protocols in place. As a result, an open port -- port 6161 -- could be exploited by attackers to remotely control an app running Toruk, including tampering with volume settings, displaying content, forcing the discovery of nearby Bluetooth devices, and to read or write to shared preferences which the app is able to access.
An attacker could perform a scan to harvest the IP addresses of vulnerable devices, and while the mischief they could cause is limited, all it would have taken for the app to generate a unique token for each device to revoke this mass access without the need for any form of authentication.
ESET attempted to reach out to Cirque du Soleil in March but did not receive a response. The researchers tried again in May, only to be met with radio silence.
As the Toruk show ended its production run at the end of June, the researchers decided to wait until July to reveal their findings. The application is no longer needed and so should be uninstalled immediately -- a worthwhile security practice that should be applied to any single-use or purpose mobile applications.
However, Cirque du Soleil does intend to pull the app from Google Play and Apple App Store now the show is over.
'We weighted the security risks connected with the app, which we consider moderate, against the negative effect of harming the show after five years of touring the globe and with a few performances to go," the team said.
ZDNet has reached out to Cirque du Soleil and will update if we hear back.
Previous and related coverage
- Malicious lifestyle apps found on Google Play, 30 million installs recorded
- Google boots major Android app developer from store for conducting massive ad fraud
- Popular grief support page hacked, ignored for weeks by Facebook
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0