The official NFL app has been found to be leaking users’ personal data from their mobile phones.
With the Super Bowl just days away, Wandera, the Mobile Data Gateway, announced today that it had discovered a security hole in the NFL Mobile app.
According to Wandera, once the user has signed up securely using their NFL.com account, the app leaks their username and password in a secondary API call, as well as in an unencrypted cookie. An attacker could hypothetically access the user’s full NFL profile, although there was no evidence that credit card information would be visible.
"NFL Mobile is a relatively popular app with our US customers," said Eldar Tuvey, CEO of Wandera. "23 percent of our US customers have at least one employee using the app and we expect this to increase significantly as the Super Bowl approaches.
"A very high percentage of users reuse passwords across multiple accounts, so the email/password combination for NFL Mobile may also be the same as those used to access sensitive corporate data, banking sites, or other high value targets. Moreover, date-of-birth, name, address and phone number are the exact building blocks required to initiate a successful identity theft from the NFL fans."
He added: "Mobile attacks are growing on all platforms, but it’s clear that many businesses are still underestimating the severity and risk that smartphones present. The threats out there are real and changing every day. Fragmented, piecemeal security simply will not do anymore."
A spokesperson for NFL Media commented: "We’ve looked into this vulnerability and it’s been addressed. We continuously monitor and evaluate our systems for any security issues and remediate them as quickly as possible."