A version of this blog was originally posted on September 25, 2013.
Have you heard about the vulnerability in the Yahoo! Fantasy Football app? If Knowshon Moreno's performance on Monday against the Oakland Raiders got you down, you might want to read this warning to fantasy football players: Don't place any bets this season until you update your Yahoo! Fantasy Football mobile app. A hacker could be manipulating your lineups, putting injured or poor performing players in the weekly lineup while benching top-seeded players on your team – essentially stacking the odds against you.
During vulnerability testing we found that a previous version of the Yahoo! Fantasy Football mobile app is vulnerable to session hijacking (video) – the process of authenticating the user and ensuring an attacker isn't impersonating a user or eavesdropping on a service. The vulnerability allows an attacker to impersonate another player on message boards and manipulate other players' lineups.
We acknowledge that at least in this case the vulnerability is relatively benign, you can lose your bet of course, but its not the end of the world. However, it is indicative of a larger problem: the general lack of attention paid to security during development and testing. Some of the most common security mistakes made during mobile web app development are related to session management. In most cases, a single vulnerability isn't a significant liability, but the more mistakes developers make, the easier it is to attack the app. This is the case with Yahoo's fantasy football application.
It is also concerning that the application went public without proper security testing – which would have uncovered the vulnerability. Oftentimes organizations are in a hurry to deliver mobile apps and sacrifice security as a result.
Finally, as a user of mobile apps, it is worth noting that failing to update your mobile apps in a timely manner puts you at unnecessary risk when vulnerabilities have been fixed in later versions.
Note: This blog has been transferred from Dan Kuykendall's blog, manvswebapp.com, as part of Rapid7's acquisition of NT OBJECTives. For more information on the acquisition, click here.