Last week’s story of security company Wandera accusing CBS Sports of a March Madness data leak, with CBS strongly denying it and suggesting Wandera was self-promoting, has seen some further interesting developments. To recap, Wandera VP (product) Michael Covington told CNBC “We know that information was leaked” on CBS Sports’ popular app during the NCAA tournament, and CBS’s statement took issue with that claim:
“There was no data breach on either the CBS Sports app or mobile site. Our internal teams are rigorous about monitoring our platforms for any potential security issues. We take issue with outside companies publicizing the security operations of other firms for their own purposes rather than user protection.”
The competing claims in that story deserve further scrutiny, especially given the popularity of the CBS Sports app and the dangers Covington has claimed could arise from a data leak. To start with, there’s the question of if any user information was actually leaked, and if so, when and how it could have happened. The vulnerability Wandera identified (and wrote about in a threat alert on their website on March 23, at which point CBS says the vulnerability was already fixed) revolves around how user information is sent to CBS (either through the app or the mobile site) when a user signs up for the first time. Here’s what Wandera’s alert wrote:
The Wandera ThreatOps Team has identified that both the Android and iOS versions of the CBS Sports app transfer PII (Personally Identifiable Information) including passwords, zip codes and birth dates over an insecure connection. This occurs when the user signs up for an account. Furthermore the security of the login/signup process of the mobile CBS Sports website is also open to interception – both the sign up process and the login process are insecure. Since mobile users are vulnerable to man-in-the-middle attacks we believe that this potential data exposure is very sensitive with a high impact surface area, especially during popular sports events where app and website usage is boosted significantly – e.g. the ongoing NCAA tournament.
According to a CBS source, this vulnerability did exist. The app and the mobile site both sent user information at signup over an unsecured “http://” protocol rather than a secured https:// protocol, and the CBS source says that was an error on their programming side. It appears that CBS intended to have their sports app transmit data over a secure protocol from the start (as their company’s other apps did), that it didn’t do so thanks to some unknown error, and that it now does. However, the source claimed that this vulnerability only existed if a user was signing up for the first time over a public Wi-Fi connection (a Starbucks or a bar or something) rather than a private (home or office) Wi-Fi connection or a cellular connection, and that it only could have been exploited if a hacker with the proper equipment was connected to the same public Wi-Fi connection at the same time and was specifically targeting people signing up for the CBS mobile app or creating an account on CBS’s mobile site. The source said this wouldn’t have applied for those already-registered who were just using the app or the site, and that the numbers of potentially-vulnerable people here are very low.
CBS jumped on fixing this immediately after they were notified of the issue and fixed it more than a week before Wandera published their March 23 alert. That data now travels over a secure protocol. Behind the scenes, CBS teams have done numerous tests trying to identify any potential breach as a result of this vulnerability, but they have found no evidence of any actual data breach. So, from CBS’s standpoint, no leak actually occurred, which explains their firm public stance on the matter.
However, Covington said in a follow-up e-mail interview with Awful Announcing that this vulnerability still is a leak, as the information was broadcast insecurely, regardless of if anyone picked it up, and that there is “no way to know” if attackers were capturing this information. (When contacted by Awful Announcing, CBS declined to put forth additional comment on the story.)
“A mobile device with the vulnerable app being used on a public WiFi network would have exposed the sensitive data because the developer failed to use HTTPS to securely communicate over the network,” Covington said. “Just because this information was leaked ‘in the clear’ does not imply that an attacker was on the same network capturing that communication session between the app and the CBS Sports service. What makes data leaks so difficult to quantify is the fact that they happen outside the device. Because mobile devices communicate over the network wirelessly, there is no way to know if an attacker was capturing that communication for nefarious purposes. Consider this analogy to help explain: Data leaks are like a person who walks down the street screaming out sensitive details for all to hear. Unless you’re the attacker, there’s no proof that anyone was around and actually paying attention to access to the information being broadcast.”
Covington also said it would have been quite easy to pick up this information given the nature of this vulnerability. “What’s particularly disturbing about data leaks, such as the one we observed with the CBS Sports app, is that they do not require any special skill for an attacker – or even a casual observer – to exploit in order to gain access to sensitive data,” he said. “This is because data leaks are the result of poor development practices which fail to protect data in transit. Essentially, the data is available to anyone who utilizes the same network as the device with the vulnerable app. By not using a secure network transport protocol (such as HTTPS), the developers simply sent the data over the network in a format that anyone with a simple network sniffer could observe.”
There was no question of credit card, social security or mailing address information leaking here, so if a leak did occur, it would have given up only CBS usernames, dates of birth, e-mail addresses, account passwords and zip codes. Covington told Awful Announcing his describing that information as “the keys to the kingdom” to CNBC was justified, though, as some of that could potentially be used for identity theft.
“In most cases, usernames and passwords are sufficient to provide full access to a user’s online account,” he said. “Even if the other bits of information did not leak, an attacker with access credentials could bypass any protections that are put in place and gain full access to the account. What’s even more alarming is the fact that the other personally identifiable information leaked as well. Latanya Sweeney at Carnegie Mellon University did some fascinating work about 16 years ago where she showed that 87% of all Americans could be uniquely identified using only three bits of information: ZIP code, birthdate, and sex. The information that leaked from the CBS Sports app is more than enough to commit fraud in a variety of ways, but identify theft is perhaps one of the most concerning.”
The other dispute here is about Wandera’s motivation and timeline. The belief inside CBS is that Wandera’s approach and decision to eventually take this public was unusual. According to a CBS source, the media company received an initial private e-mail from Wandera both notifying them of the potential breach and offering security consulting services. CBS started work on fixing the issue the next day, but declined Wandera’s offer of consulting services. The source said Wandera’s March 23 public threat alert on their own website came more than a week after CBS had corrected the issue and after CBS had made them aware that it had been fixed.
The viewpoint from CBS is that Wandera shopped the story (as if it was still an active issue) to various news outlets before publishing their own alert, and that the alert was published in present tense as if the problem still existed, with only a small “Update: We are pleased to say that CBS has confirmed the issue has been corrected following our disclosure to them” at the very bottom. Covington told Awful Announcing Wandera only announced the threat once the issue had been fixed so that users could then take corrective action.
“We take issues of security and privacy very seriously, and we value the security community,” Covington said. “By responsibly disclosing vulnerabilities, we strive to address problems at the core so that all those affected can benefit from a fix. Anytime we find a new vulnerability, we make every effort to contact the company with the buggy product to alert them of the observed issue. Our recent discoveries surrounding the CBS Sports app and mobile website followed the same process. As soon as we discovered that the services were exposing user data, we contacted CBS so they could address the problem. It would have been irresponsible of us to announce publicly during the tournament, when usage of the app was likely at an all-time high, and the problem existed in both the iOS and Android versions of the app that were current at the time. We were only comfortable announcing the vulnerability once CBS had fixed the problem so that users could take corrective action, such as changing passwords.”
Furthermore, Covington responded to the claim in CBS’s statement that Wandera does this “for their own purposes rather than user protection” by saying his company is trying to educate users and CBS’s handling of this is a “missed opportunity.”
“I think that CBS missed an opportunity to educate the market and better protect their users,” he said. “The developers of the CBS Sports app and mobile website made a mistake that resulted in a failure to protect sensitive user information. I don’t like it, but these things happen. The good news is that they responded to the information we sent them and took corrective actions to protect the user data. CBS is not alone. We have seen many other companies make similar mistakes. But by not acknowledging the vulnerability, users of the CBS Sports mobile app and website are left exposed. Users should take this public conversation as a reminder that they need to be responsible for their own online security. Users should change passwords often and only part with sensitive information when the service absolutely requires it.”
So, what’s not in dispute here is that the CBS Sports app and mobile site were unintentionally sending user-registration information over an unencrypted protocol until Wandera contacted them about it and they changed to a secure protocol. The two sides disagree over the size of the threat that was possible here, over whether it matters that CBS’s teams haven’t found proof of any attackers accessing data, and over Wandera’s motivation and subsequent actions when it comes to publicizing this. Their perspectives are not going to align anytime soon. But, the information above should give users a sense of if this threat could have possibly affected them, and of the differing perspectives on how serious it could be. It also provides a fascinating look at the drastically-different perspectives on each side of this situation. Given how important mobile apps are becoming and how many hackers are out there, it may be a situation we see in sports again.