Thursday, January 17, 2013

Mobile App Wall of Shame: ESPN ScoreCenter


ESPN ScoreCenter

Price: Free
Category: Sports
Updated: Dec 19, 2012
Version: 3.0.0 Build 361
Size: 13.1 MB
Language: English
Vendor: ESPN Inc.
Operating System: iOS

Update: [01/18/13 4:19pm EST] Zscaler was contacted by ESPN to inform us that they have addressed both of the vulnerabilities that we informed them about on the server-side and we have confirmed this. We want to thank ESPN for working quickly to protect their users.

Background

ESPN ScoreCenter is a popular sports application on the iOS platform (currently the #1 free sports app in iTunes). The app delivers live scores, news, video, alerts, etc. and is an official application of ESPN Inc. Version 3.0 of the app features a completely redesigned the UI, but also includes a couple of key vulnerabilities.

Vulnerability #1 - XSS

We tend not to think of mobile applications as being vulnerable to cross-site scripting (XSS). After all XSS belongs to the domain of web applications and mobile apps are native apps. Right? Not necessarily. Many mobile apps are actually just web pages displayed in a WebView control or more commonly web content mixed in with native controls and such is the case for ESPN SportsCenter. As with many web apps, when user supplied content isn't properly sanitized, active content, such as JavaScript can be injected. The included screenshot illustrates a simple alert window being displayed within the application. The vulnerable page also exists on the mobile web version of the app during logout and can be seen in the following sample URL:

http://m.espn.go.com/mobile/apps/reg/login?lang=en&timeOffset=-300&swid=63DBACA2-032F-491E-A28D-1B4835DC14XX&username=%3Cscript%3Ealert('test')%3C/script%3E

XSS is of course valuable for a variety of attacks, such as stealing a user's authentication cookie, however, in this case that may not be necessary, thanks to vulnerability #2...

Vulnerability #2 - Clear Text Authentication Credentials

I'm continually surprised by just how common it is for mobile applications to pass authentication credentials in clear text. Mobile apps often pose a higher risk than their web based counterparts and this illustrates the reason why. In many ways, mobile apps behave like web apps, but without the many visual controls provided to end users to spot and avoid insecure behavior. In a web app for example, if your password is about to be sent insecurely, you have warning signs. Perhaps you notice that SSL is not being enabled as you don't see the lock icon or perhaps SSL is being used but with an invalid certificate which you are warned about by a standard popup message. In mobile apps, these same vulnerabilities exist, but end users are blind to them as mobile app developers do not have to include any warning signs and in an effort to conserve screen real estate, generally don't. Think about it, when viewing web content in a mobile app, you normally have no way of knowing where the content is actually coming from because there is no address bar to reveal the source URL.

ESPN ScoreCenter's flaw - sending your password in clear text. Therefore, anyone sniffing traffic on the network would be able to easily steal your username/password. More often than not, when I see this flaw, it occurs not during a regular login, but rather when you first set up your account and such is the case with ESPN SportsCenter. Once you've created an account, subsequent logins at the regular login page (/mobile/apps/reg/loginlanding) are sent via HTTPS. This is not the case however when an account is first created, with the username/password sent in clear text : 

http://m.espn.go.com/mobile/apps/reg/createaccount

POST /mobile/apps/reg/createaccount HTTP/1.1
Host: m.espn.go.com
Accept-Language: en-us
Pragma: no-cache
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A551
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://m.espn.go.com/mobile/apps/reg/createaccount
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Cookie: s_vi=62b95c266882437b80b87bd3e078cac5805e20de20a8387999d1c6b02c74a2d6
Proxy-Connection: keep-alive
Content-Length: 329
Origin: http://m.espn.go.com
Accept-Encoding: gzip, deflate

passedSubId=&langCode=&udid=&version=&userAgent=Mozilla%2F5.0+%28iPhone%3B+CPU+iPhone+OS+6_0_2+like+Mac+OS+X%29+AppleWebKit%2F536.26+%28KHTML&country=US&form=true&policies=true&firstname=ThreatLabZ&lastname=Zscaler&username=ThreatLabZ&gspw=Zscaler&email=threatlabz%40zscaler.com&birthdayMonth=1&birthdayDay=2&birthdayYear=1973 

Conclusion

It isn't hard to uncover security flaws such as this, it simply requires inspecting the HTTP(S) traffic sent by an application. It is disappointing to see that the testing performed on apps before they are admitted by Apple to the iTunes store does not even include such basic security tests such as looking for XSS vulns and sending passwords in clear text.

These flaws were uncovered by leveraging Zscaler's free ZAP (Zscaler Application Profiler) service to inspect the application traffic. Want to test the apps on your Android/iOS device to see if they're exposing unnecessary risk? Test them with ZAP.

6 comments:

Minty said...

hi, there are more vulnerabilities with this app, how about allowing to set a password as 'password' when you create an account, scaryE

Anonymous said...

Seems everyone wants a security tool called ZAP these days.....

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

http://code.google.com/p/zaproxy/

thomascook said...

Not only this 2 vulnerabilities. Found more vulnerabilities. Our app developers found vulnerabilities and suggest to install security tool while accessing. Our team here: http://innopplinc.com

Hiep Bee said...

how about allowing to set a password as 'password' when you create an account, scaryE
vé máy bay đi hà nội

vé máy bay đi sài gòn said...

i don't have smart phone to use this app, can you share me version desktop ?
Thanks
vé máy bay đi sài gòn

ve may bay, ve may bay gia re said...

thank you, it was wonderful