A vulnerability in the Sky Go Windows desktop application which leaks session data including usernames has been disclosed by a researcher.
The desktop application performs several requests over plain HTTP. Without any form of encryption in place, any information sent via these requests is not hashed or protected, leaving users open to attack.
In particular, Man-in-The-Middle (MiTM) attacks are of concern, in which threat actors can monitor unencrypted data flows and either tamper with communications channels or steal data.
In this case, Wright says Sky Go usernames and other session data is at risk.
"When the application is initially installed and run, the victim's Sky username is present in several requests which are performed over plain HTTP," Wright says. "Thus an attacker who is able to gain access to these requests via a MiTM attack, would be able to gain the victim's username."
"Some of the requests contain potentially sensitive information which could be useful to an attacker," the researcher added.
First discovered on 22 May 2018 and publicly disclosed on 19 January 2019, the problem has been issued a CVVSv3 base score of 5.4.
The vulnerability impacts Sky Go versions 1.0.23-1 - 1.0.19-1, although the researcher noted that other versions may also be affected.
Wright also provided steps to reproduce the flaw by way of proof-of-concept (PoC) code.
After disclosing the security issue to Sky on the same day as discovery, roughly a week later, the vendor said it was investigating. On 8 June, Sky told Wright that the issue was being fixed, but it wasn't until September when the company revealed a patch would be applied during scheduled releases.
It is not known whether the vulnerability has been fixed. Wright told us that after 20 November, when Sky assured the researcher a patch was on its way, he "received no further response from Sky, so I'm assuming that they have yet to release the fix."
Sky begun rolling out a fix last year and the patch process is expected to finish by the end of January.
"Given the need for companies to move to HTTPS this issue still highlights that even larger companies are still lagging behind, as well as dragging behind when it comes to resolving these issues," Wright told ZDNet. "Hopefully by publicly highlighting some of these issues we can hopefully get the visibility into these type of issues and get companies to finally start paying the appropriate attention to them."