: Dec 19, 2012Version
: 3.0.0 Build 361Size
: 13.1 MBLanguage
: ESPN Inc.Operating System
Update: [01/18/13 4:19pm EST] Zscaler was contacted by ESPN to inform us that they have addressed both of the vulnerabilities that we informed them about on the server-side and we have confirmed this. We want to thank ESPN for working quickly to protect their users.
is a popular sports application on the iOS platform (currently the #1 free sports app in iTunes). The app delivers live scores, news, video, alerts, etc. and is an official application of ESPN Inc. Version 3.0 of the app features a completely redesigned the UI, but also includes a couple of key vulnerabilities.
Vulnerability #1 - XSS
We tend not to think of mobile applications as being vulnerable to cross-site scripting (XSS). After all XSS
XSS is of course valuable for a variety of attacks, such as stealing a user's authentication cookie, however, in this case that may not be necessary, thanks to vulnerability #2...
Vulnerability #2 - Clear Text Authentication Credentials
I'm continually surprised by just how common it is for mobile applications to pass authentication credentials in clear text. Mobile apps often pose a higher risk than their web based counterparts and this illustrates the reason why. In many ways, mobile apps behave like web apps, but without the many visual controls provided to end users to spot and avoid insecure behavior. In a web app for example, if your password is about to be sent insecurely, you have warning signs. Perhaps you notice that SSL is not being enabled as you don't see the lock icon or perhaps SSL is being used but with an invalid certificate which you are warned about by a standard popup message. In mobile apps, these same vulnerabilities exist, but end users are blind to them as mobile app developers do not have to include any warning signs and in an effort to conserve screen real estate, generally don't. Think about it, when viewing web content in a mobile app, you normally have no way of knowing where the content is actually coming from because there is no address bar to reveal the source URL.
ESPN ScoreCenter's flaw - sending your password in clear text. Therefore, anyone sniffing traffic on the network would be able to easily steal your username/password. More often than not, when I see this flaw, it occurs not during a regular login, but rather when you first set up your account and such is the case with ESPN SportsCenter. Once you've created an account, subsequent logins at the regular login page (/mobile/apps/reg/loginlanding) are sent via HTTPS. This is not the case however when an account is first created, with the username/password sent in clear text :
POST /mobile/apps/reg/createaccount HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A551
Accept-Encoding: gzip, deflate
It isn't hard to uncover security flaws such as this, it simply requires inspecting the HTTP(S) traffic sent by an application. It is disappointing to see that the testing performed on apps before they are admitted by Apple to the iTunes store does not even include such basic security tests such as looking for XSS vulns and sending passwords in clear text.
These flaws were uncovered by leveraging Zscaler's free ZAP
(Zscaler Application Profiler) service to inspect the application traffic. Want to test the apps on your Android/iOS device to see if they're exposing unnecessary risk? Test them with ZAP