Sky Go app security failure exposes customers to snooping, data theft

A researcher uncovered requests which were sent without encryption in place.
Written by Charlie Osborne, Contributing Writer

A vulnerability in the Sky Go Windows desktop application which leaks session data including usernames has been disclosed by a researcher.

According to application security expert Sean Wright, the security flaw, CVE-2018-18908, relates to the transfer of data in plain text.

The desktop application performs several requests over plain HTTP. Without any form of encryption in place, any information sent via these requests is not hashed or protected, leaving users open to attack.

In particular, Man-in-The-Middle (MiTM) attacks are of concern, in which threat actors can monitor unencrypted data flows and either tamper with communications channels or steal data.

In this case, Wright says Sky Go usernames and other session data is at risk.

"When the application is initially installed and run, the victim's Sky username is present in several requests which are performed over plain HTTP," Wright says. "Thus an attacker who is able to gain access to these requests via a MiTM attack, would be able to gain the victim's username."

"Some of the requests contain potentially sensitive information which could be useful to an attacker," the researcher added.

See also: DarkHydrus abuses Google Drive to spread RogueRobin Trojan

First discovered on 22 May 2018 and publicly disclosed on 19 January 2019, the problem has been issued a CVVSv3 base score of 5.4.

The vulnerability impacts Sky Go versions 1.0.23-1 - 1.0.19-1, although the researcher noted that other versions may also be affected. 

Wright also provided steps to reproduce the flaw by way of proof-of-concept (PoC) code. 

After disclosing the security issue to Sky on the same day as discovery, roughly a week later, the vendor said it was investigating. On 8 June, Sky told Wright that the issue was being fixed, but it wasn't until September when the company revealed a patch would be applied during scheduled releases.

TechRepublic: Hackers turn to data theft and resale on the Dark Web for higher payouts

It is not known whether the vulnerability has been fixed. Wright told us that after 20 November, when Sky assured the researcher a patch was on its way, he "received no further response from Sky, so I'm assuming that they have yet to release the fix."

Sky begun rolling out a fix last year and the patch process is expected to finish by the end of January.

CNET: Even if you're off social media, your friends could be ruining your privacy

"Given the need for companies to move to HTTPS this issue still highlights that even larger companies are still lagging behind, as well as dragging behind when it comes to resolving these issues," Wright told ZDNet. "Hopefully by publicly highlighting some of these issues we can hopefully get the visibility into these type of issues and get companies to finally start paying the appropriate attention to them."

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Editorial standards