ESPN ScoreCenter, one in all the foremost widespread mobile sports apps on the market, has important security vulnerabilities that would compromise users’ mobile devices, including the threat of information thieving.
First, by displaying basic online page without properly sanitizing user-supplied input, ESPN SportsCenter exposes a cross-site scripting (XSS) flaw. Therefore, active content like JavaScript are often injected into the app.
Second, ESPN SportsCenter passes authentication credentials in clear text once associate account is initial created. By causation the countersign in clear text, ESPN ScoreCenter enables anyone sniffing traffic on the network to easily steal that key piece of knowledge.
“It’s necessary to recollect that a lot of mobile apps don't seem to be native applications—they’re essentially web pages displayed in an exceedingly WebView management, or even simply online page mixed in with native controls,” said michael Sutton, VP, Security research, Zscaler ThreatLabZ.
“As such, vulnerabilities common to internet applications may occur in mobile apps. Users should bear in mind that such vulnerabilities in mobile apps typically remain hidden, as apps don’t have an equivalent visual indicators to point out that knowledge is being sent insecurely,” Sutton further.
The flaws were unearthed victimization Zscaler Application Profiler (ZAP), the free on-line tool that produces it simple to assess mobile apps for security risks. ESPN said it's wanting into the vulnerabilities in the ScoreCenter app.
0 comments:
Post a Comment