NFL Mobile Sports App Contains Super Bowl-Sized Vulns

Lack of protections puts users at risk of exposed information by way of man-in-the-middle attacks.

[UPDATED 1/27/15 with comments from the NFL]
Russell Wilson and Tom Brady arent the only ones who might be due for an interception this Super Bowl Sunday. As the Seahawks and the New England Patriots lock horns on the gridiron, football fans might find that their data is whats being intercepted off the field. According to a report by mobile data gateway firm Wandera, the popular NFL Mobile app has a vulnerability that leaves users sensitive personal data exposed to man-in-the-middle attacks.
Wandera performed scanning on the app to find that following a successful login by the user through their NFL.com account, the NFL Mobile app leaks their credentials in an unencrypted API call. Additionally, it leaks the username and email address in an unencrypted cookie immediately after login and on subsequent calls by the app to the NFL.com domain.
That trio of details is enough to get the hacker into a users full profile on the main NFL webpage. And because that page is also unencrypted, its trivial for the attacker to siphon off the users registered personal data through a man-in-the-middle attack. This profile information includes the users address, phone number, occupation, date of birth, occupation, and gender.
According to Wandera, the scan was a preliminary probe—its researchers didnt try to attempt making a purchase during its review to confirm whether credit card information would also be visible, nor did they check out other apps like NFL Now or NFL Fantasy Football. However, given the rampant reuse of passwords, this might not stop attackers from gaining access to other accounts.
A very high percentage of users reuse passwords across multiple accounts, so the email/password combination for NFL Mobile may also be the same as those used to access sensitive corporate data, banking sites, or other high value targets, says Eldar Tuvey, CEO of Wandera, which reports that almost a quarter of the users in its customer base have NFL Mobile installed on their devices. Moreover, date-of-birth, name, address and phone number are the exact building blocks required to initiate a successful identity theft from the NFL fans.”
According to an NFL spokesman, the league is aware of the vulnerability and has made fixes to protect users on the back-end of the app, so no updates are necessary.
We’ve looked into this vulnerability and it’s been addressed, says Alex Riethmiller, spokesman for the NFL. We continuously monitor and evaluate our systems for any security issues and remediate them as quickly as possible.
Professional sports websites and apps are a popular target amongst criminal hackers due to the popularity of sports among such a wide range of demographics. For example, in
2013 hackers targeted NFL
fans through fake Facebook pages that were seeded with malicious links serving Zeus malware. And in 2012,
MLB.com was found to be serving fake antivirus malware
through malicious ads delivered through an ad network.
Hackers particularly like to leverage high visibility events like the Super Bowl to take advantage of peoples propensity for heightened curiosity and lowered caution about sites offering up the latest news about the event. In fact, back in 2007, the
Miami Dolphins websites were hacked
and serving up malware to visitors at least a week before the team hosted the Super Bowl.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
NFL Mobile Sports App Contains Super Bowl-Sized Vulns