Security researchers discovered a CBS Sports app left personal information of millions of app users unencrypted in clear text.
The Android and iOS versions of the mobile application exposed user information, which included the first and last names, dates of birth, email addresses, login passwords, and zip codes of the mobile app users, according to security researchers at Wandera. The Android app has received five million to 10 million downloads, according to Google Play.
The CBS Sports mobile website also did not encrypt user data during the login process. The users' email address and password information was transmitted in clear text, according to a threat advisory issued by Wandera.
The personal information was discovered and reported to CBS Sports Digital on March 18, Wandera VP of product Michael Covington told SCMagazine.com.
“There was no data breach on either the CBS Sports app or mobile site,” stated CBS Sports Digital, when contacted by SCMagazine.com. “Our internal teams are rigorous about monitoring our platforms for any potential security issues. We take issue with outside companies publicizing the security operations of other firms for their own purposes rather than user protection.”
“They almost seemed to push this out without a best practices sanity check,” said Covington, speaking with SCMagazine.com. “The mobile side of the website infrastructure was simply not secured.”
The vulnerability has been remedied, according to CBS Sports Digital. A company representative declined to answer questions related to why the mobile app required sensitive information, including the full name, date of birth, and zip code of users.
“This is a trend that we're seeing in the sector,” Covington said. “Users are parting with very sensitive pieces of information, and that information is not being treated with the care that it deserves.”