You wouldn’t expect the organisers of a seminar on nuclear physics to hand out conference badges that were contaminated with dangerous levels of radioactivity.
You wouldn’t expect to attend a workplace health and safety training course in a conference centre where the fire exits had been padlocked shut
RSAC was back in the “do as I say not as I do” limelight again in 2014, issuing an official mobile app for the event that hooked into the event database so you could see the schedule of talks, with any last-minute updates or changes automatically shown.
Unfortunately, the database pulled down by the app also included details of all the other conference delegates who had registered to use the app so far – meaning that anyone who installed the app after you would get to see your details, too.
At RSAC 2018, Twitter user @svblxyz found similar security problems to those of 2014 in this year’s conference app.
Amongst other things, the app contained URLs from which database content could be downloaded, apparently including the real names of other mobile app users.
https://nakedsecurity.sophos.com/2018/04/20/rsa-conference-has-a-leaky-app-again/
No comments:
Post a Comment