IOACTIVE LABS HAS FOUND half a dozen security flaws in RSA Security's Conference 2014 app.
This looks bad of course, particularly when one of the flaws sees it exposing the name, surname, title, employer, and nationality of "every registered user of the application". It is also bad when the hot topic at the RSA show is, of course, security.
The six flaws found by IOactive were discussed in a blog post by security chap Gunter Ollman. He said that a few weeks ago he downloaded the app and suggested that his peers do so too.
"Maybe it was a reaction to being spammed with a never-ending tirade of 'come see us at RSA' emails, or it was topical off the back of a recent blog on the state of mobile banking application security, or maybe both," he said.
"I asked some of the IOactive consulting team who had a little bench time between jobs to have a poke at freshly minted 'RSA Conference 2014' mobile application."
Ollman was not expecting to find much, but said that the app had the potential to embarrass.
"The team came back rather quickly with a half dozen security issues. Technically the highest impact vulnerability had to do with the app being vulnerable to man in the middle attacks, where an attacker could inject additional code into the login sequence and phish credentials," he added.
"It was the second most severe vulnerability that caught my eye though. The RSA Conference 2014 application downloads a SQLite DB file that is used to populate the visual portions of the app (such as schedules and speaker information) but, for some bizarre reason, it also contains information of every registered user of the application - including their name, surname, title, employer, and nationality."
Ollman added that he had "no idea why the app developers chose to do that" and said that he suspects that downloaders were expecting it.
According to his blog post the app was built, or at least the Google Play version was, by a firm called Quickmobile, which is an app developer that specialises in conferences. Ollman said that the firm has a number of other clients, and pondered whether their apps are equally flawed.
We have asked RSA and Quickmobile to comment. RSA has already had to deal with reports of a shocked post-PRISM speaker exodus from its events. µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted