Security experts have warned of a major flaw in the official NFL Mobile app which could expose sensitive personal information to hackers, just days before Sunday’s Super Bowl XLIX.
Mobile security firm Wandera claimed that although users are signed into the app securely via their NFL.com account, the application then exposes these log-ins through an unencrypted API call.
The app also leaks the user’s username and email address in an unencrypted cookie post-login and on subsequent calls by the app to nfl.com domains, the firm said.
Hackers could fairly easily retrieve this information and use it to access more personal details on the user’s NFL.com account profile – which is also apparently unencrypted and therefore vulnerable to a Man in the Middle attack.
“NFL Mobile is a relatively popular app with our US customers,” said Wandera CEO, Eldar Tuvey, in a statement.
“It is ironic that just like a quarterback being vulnerable to an interception, the NFL app is vulnerable to a Man in the Middle attack that puts users data at risk of interception by hackers.”
Wandera isn’t sure if credit card information is also at risk with this vulnerability as it didn’t try to buy any NFL gear during its security review.
However, the potential is there for hackers to grab significant volumes of personal data which could be used to crack bank accounts and other high value targets, given password reuse across accounts.
The risk is especially high given the likely popularity of the app in the last few days running up to the Super Bowl.
“Twenty-three percent of our US customers have at least one employee using the app and we expect this to increase significantly as the the big game approaches,” claimed Tuvey.
Other NFL apps including NFL Now and NFL Fantasy Football weren’t reviewed by Wandera this time around, although users will now have legitimate concerns about the security of their data on these applications too.
A spokesman for NFL Media gave Infosecurity the following statement:
"We’ve looked into this vulnerability and it’s been addressed. We continuously monitor and evaluate our systems for any security issues and remediate them as quickly as possible."