XSS, password flaws found in popular ESPN app

Share this article:

Researchers have discovered two security holes in a popular mobile app used to track sports news and scores, leaving users vulnerable to having their data exposed.

On Thursday, Michael Sutton, vice president of security research at Zscaler, published a blog post detailing flaws in the popular app ESPN ScoreCenter. The San Jose, Calif.-based cloud security firm discovered that the app was vulnerable both to a common coding flaw known as cross-site scripting (XSS), as well as a weakness through which an attacker could access usernames and passwords when users set up their accounts.

The latter security issue would primarily be a concern for individuals who use the same login credentials for multiple accounts, such as their banks. Meanwhile, attackers could leverage the XSS bug to conduct a number of malicious actions, including injecting client-side script into web pages, stealing a user's authentication cookie, and bypassing other access controls to gain sensitive user data.

ESPN ScoreCenter is a free app available for Android, iPhone and Windows Phone users, and provides personalized scoreboards and live alerts on sports teams, players and leagues. The vulnerabilities were discovered is version 3.0 of the app.

“Many mobile apps are actually just web pages displayed in a WebView control or, more commonly, web content mixed in with native controls, such is the case for ESPN SportsCenter,” Sutton wrote, explaining how XSS is carried out in the app, as opposed to a traditional web application. “As with many web apps, when user-supplied content isn't properly sanitized, active content, such as JavaScript can be injected.”

Sutton saw the second flaw, the ESPN ScoreCenter app sending users' passwords in clear text during the initial login, right as he set up an account to use the app.

“Anyone sniffing traffic on the network would be able to easily steal your username/password,” he wrote. “More often than not, when I see this flaw [in mobile apps], it occurs not during a regular login, but rather when you first set up your account and such is the case with ESPN SportsCenter. Once you've created an account, subsequent logins at the regular login page…are sent via HTTPS [HyperText Transfer Protocol Secure]. This is not the case, however, when an account is first created, with the username/password sent in clear text.”

Sutton said it's common for mobile apps to pass authentication credentials in clear text. 

SCMagazine.com reached out to ESPN, but did not immediately hear back on whether the flaws were being investigated or patched. 

UPDATEIn an email, an ESPN spokeswoman said the company "immediately began investigating the issue" once it was made aware of the flaws. "It has been resolved," she wrote. 
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.