Skip to Main Content
PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

NFL.com Android App Expose User Profile Data to Attackers

Vegas bookies may be watching the Seattle Seahawks and New England Patriots closely this Super Bowl Sunday, but black hat hackers may be more interested in collecting personal data from fans' Android devices, a mobile security firm warned today.

January 27, 2015
NFL.com flaw Wandera

Vegas bookies may be watching the Seattle Seahawks and New England Patriots closely this Super Bowl Sunday, but black hat hackers may be more interested in collecting personal data from fans' Android devices, a mobile security firm warned today.

Attackers would be able to launch man-in-the-middle attacks to exploit a serious vulnerability in the popular NFL Mobile app which exposes users' sensitive personal data stored on Android devices, Wandera said in an advisory. A company spokesperson told SecurityWatch the problem remains unfixed.

"It is ironic that just like a quarterback being vulnerable to an interception, the NFL app is vulnerable to a man-in-the-middle attack that puts users' data at risk of interception by hackers," said Eldar Tuvey, the CEO of Wandera.

Unencrypted Calls Leak User Info
The app requires the user to sign in securely with NFL.com credentials, but it then leaks the username and password in a secondary unencrypted API call, Wandera researchers found. The username and email address are also stored in an unencrypted cookie immediately after login and on subsequent calls to nfl.com. The attacker can use the credentials to access the user's full profile on nfl.com. The profile page is unencrypted, which means attackers can use man-in-the-middle attacks to intercept data from the page.

"The risk is particularly high at this time, when users are likely to be accessing the app ahead of the biggest game of the season between the New England Patriots and Seattle Seahawks," the company said in its advisory.

It is unclear at this point whether saved credit card information would be visible to the attacker, as the security team did not attempt to purchase any NFL-branded merchandise from the site during this analysis. It's also not clear if the same flaw exists in other NFL apps, such as NFL Now and NFL Fantasy Football.

For the time being, get your Super Bowl fix through the website, not the NFL app. Don't put yourself at risk.

Risks to Users With the App
Password reuse is still a big problem, so users who have the same email/password combination for other accounts may find those accounts compromised, Wandera warned. Profile information such as date-of-birth, full name, email and postal addresses, occupation, TV provider, gender, and phone number can be used for identity theft, phishing, and social engineering.

"Date-of-birth, name, address and phone number are the exact building blocks required to initiate a successful identity theft from the NFL fans," Tuvey said.

If you are using the same password on other sites, particularly sensitive sites such as banking and email, change them immediately.  

Criminals have targeted professional sports sites and apps in the past. NFL fans were tricked by fake Facebook pages into clicking on malicious links to sites serving Zeus malware in 2013. Malicious advertisements on MLB.com served fake antivirus to unsuspecting visitors in 2012. A fake mobile app masquerading as the MADDEN NFL 12 game rooted devices, intercepted SMS messages, and connected devices to a botnet, McAfee researchers found in 2012.

Cyber-attackers also like to target popular events and newsworthy items to spread malware and execute phishing attacks. These attacks take advantage of people looking for the latest information and updates. OpenDNS identified a website attempting to mimic BBC News and serving up false information about the shootings at Charlie Hebdo earlier this month. There were several spam and malware campaigns targeting the Olympics in London and Sochi as well as past Super Bowl games. Websites belonging to the Miami Dolphins served up malware for a least a week before the Super Bowl in 2007.

Like What You're Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.


Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

Sign up for other newsletters

TRENDING

About Fahmida Y. Rashid

Fahmida Y. Rashid

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source. Follow me on Twitter: zdfyrashid

Read Fahmida Y.'s full bio

Read the latest from Fahmida Y. Rashid