American Fantasy Football app lets hackers change team rosters

[InfoSec News <alerts () infosecnews org>]

http://www.theregister.co.uk/2013/09/06/yahoo_gridiron_game_uncryption/

By John Leyden
The Register
6th September 2013

Security researchers have discovery a vulnerability in mobile versions of 
the Yahoo! Fantasy [American] Football app that created a means for 
hackers to change team lineups and post imposter comments on message 
boards.

Yahoo! has plugged the security hole, but users who fail to update their 
mobile app to the most recent version are at risk of having their lineups 
manipulated by other league managers or troublemaking hackers, warns NT 
OBJECTives, the application security testing firm that uncovered the 
snafu.

NT OBJECTives discovered the fantasy football app to be vulnerable to 
session hijacking, the process of authenticating genuine users, during a 
vulnerability-testing exercise. The security hole created a means for 
pranksters to manipulate other players' lineups, putting injured or poor 
performing players in the weekly lineup, while benching top-rated players 
on that individual's team. The issue arose as a result of a catalog of 
related security shortcomings.

The API used by the Yahoo!'s American Football mobile app failed to use 
SSL, so even a simple rogue WiFi hotspot could see the traffic between the 
mobile app and the Yahoo! Fantasy Football API. In addition, session 
cookies lasted for over a month, meaning once snaffled, hackers could 
abuse stolen session cookies to make changes in team lineups and more for 
an extended period, likely covering an entire season of the gridiron game. 
The app relied on simple session cookies rather than anything signed by a 
private token to authenticate requests.

[...]



--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/