In Honor Of Super Bowl Week – NFL Mobile App Is Like Swiss Cheese

January 28, 2015 mitch tanenbaum

Dark Reading is reporting that the NFL mobile app has a few problems in it – not so much different than NFL officiating.

Wandera performed a scan of the app and discovered that after a successful login, the app leaks your credentials in an unencrypted API call. In addition, it leaks your login name and email address too (which is probably enough to do a password reset).

That is enough, they say, to get the hacker into the user’s NFL web page, which is also unencrypted, which would allow the hacker to siphon off your address, phone number, occupation, date of birth, gender, if the user entered that in their profile.

As a side note, all they use that for is to push ads to you, so if possible, I recommend NOT entering that data and if they require you to do so, then enter bogus data. You may have to enter an occupation, but who says that you are not a mortician or clean septic tanks for a living. There is no data validation. And, as you go from site to site, enter different information – just to mess with the ad data people.

Anyway, back to the NFL. Wandera did not try making a purchase, but given the above information, the security there is pretty suspect as well.

Since many users reuse passwords, getting their NFL.com password may give the hacker access to someone’s email or Amazon account too.

I recommend that if you are going to reuse passwords, break them into categories. One category I call trash sites are sites that have the lowest possible security needs and least sensitive data (at least as long as you told them that you were 92, female, lived in Paris, France and were a jockey). The NFL.com site would fall into that category. At least that way, if that password was compromised, nothing else important would be compromised.

But here is the best part. The NFL, like politicians, love to spin things. Their answer to this issue was:

According to an NFL spokesman, the league is aware of the vulnerability and has made fixes to protect users on the back-end of the app, so no updates are necessary.

Obviously, this answer is total bulls&*t, but they probably figure most fans will trust them implicitly – like they trust the referee’s calls. There is NOTHING they can do, technically, on the back end to fix this problem. Can’t be done. Total lie.

My suggestion is don’t fill out your profile and don’t purchase anything from their web site – buy stuff somewhere else.

Mitch