Sheesh.
Image: Martin Poole/Getty
Look, we get it. Cybersecurity is hard. But maybe, just maybe, a conference dedicated to computer security and encryption should know better than to leave attendee information exposed via its conference mobile app.
And yet.
As the RSA Conference winds down today in San Francisco organizers have been forced to acknowledge that all has not been right with their own house. Specifically, a security engineer looking into the RSA Conference Mobile App discovered that at least some user information was exposed to anyone who knew where to look.
“[It] was the API from http://eventbase.com that was used by the RSA conference app,” the researcher, who goes by svbl, explained over Twitter direct message. “[The] vulnerability was on eventbase’ side.”
Svbl tweeted out the steps he took to access the information and alerted organizers to what might generously be called an oversight.
The RSA Conference responded and quickly resolved the vulnerability, but, shall we say, the response didn’t really cop to the fact that organizers baked a vulnerability into their app.
“Our initial investigation shows that 114 first and last names of RSA Conference Mobile App users were improperly accessed,” read a statement. “No other personal information was accessed, and we have every indication that the incident has been contained.”
wow, the spin.
they’re treating it like a breach, not like they should have known better and could have completely avoided it. https://t.co/0YDmcRjXNU— D̒͂̕ᵈăᵃn̕ᶰ Ť̾̾̓͐͒͠ᵗe͗̑́̋̂́͡ᵉn̅ᶰtᵗl̀̓͘ᶫe̓̒̂̚ᵉrʳ (@Viss) April 20, 2018
That only 114 first and last names were accessed isn’t because of some magic cybersecurity protections. Rather, it’s because svbl limited his probing to just a peek — merely to confirm the vulnerability — before reporting it.
This is correct and confirms that it was only me querying a sample of 100 entries (plus some tests) before reporting. Happy to see it was fixed that quickly, great job @RSAConference! – feel free to contact me for some other parts you might want to look at.
— svbl (@svblxyz) April 20, 2018
Notably, this isn’t the first time the RSA Conference has blundered with its conference app.
“This isn’t surprising,” tweeted the engineer and hacker Ming Chow. “Let me remind you of the RSA Conference 2014 app that downloaded all attendees’ names into SQLite DB.”
And, to make matters worse, this wasn’t the only problem members of the cybersecurity community had with the conference app. Specifically, the permissions the app required raised a lot of eyebrows.
yeah, you install that app.
you give it access to everything.
if i hear you whine that your shit got stolen i will actually black bag you and make you eat your phone. pic.twitter.com/DlHKwYoDiS— D̒͂̕ᵈăᵃn̕ᶰ Ť̾̾̓͐͒͠ᵗe͗̑́̋̂́͡ᵉn̅ᶰtᵗl̀̓͘ᶫe̓̒̂̚ᵉrʳ (@Viss) April 19, 2018
Thankfully for attendees, svbl appears to have had no ill intentions.
“[I] only pulled a sample of data (~100 records) before i reported it to RSA directly and as you saw they fixed it very quick (which is awesome),” the researcher wrote to us.
And while a fast response is great, still, come on. Security professionals like those at the RSA Conference shouldn’t count on the goodwill of third-party researchers to keep attendee data secure. But somehow, though, that’s exactly where we are.