A vulnerability in the Flash Seats Mobile App for iOS could allow attackers to steal login credentials using a man-in-the-middle attack, the CERT/CC has warned.
A vulnerability in the Flash Seats Mobile App for iOS could allow attackers to steal login credentials using a man-in-the-middle attack, the CERT/CC has warned.

The Flash Seats Mobile App for iOS, a sports and entertainment ticket management app, is vulnerable to man-in-the-middle attacks due to improper validation of SSL certificates provided by HTTPS connections. According to a vulnerability advisory by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University's Software Engineering Institute, there is no current patch.

Attacks who exploit this flaw, which is officially designated CVE-2017-3190, may be able to obtain sensitive account information such as login credentials, the CERT/CC warned on Wednesday.

To overcome this problem, the CERT/CC recommends using Flash Seats' website version instead of its mobile app. Users who risk using the app should at least avoid using public WiFi and other untrusted networks.

"We are aware of this issue and the fix has already been implemented and is now available in the App Store, closing identified vulnerabilities related to MITM access. We have alerted CERT of the update they have updated their notice to reflect the fix," Jusin Jimenez, a spokesman for AXS, parent company to Flash Seats told SC Media on March 15.

Will Dormann, a vulnerability analyst the CERT/CC, is credited with discovering the vulnerability.

US CERT has also noted that an updated has been issued.

Update includes news that the company was made aware of the problem and issued an update correcting the problem.