Mobile Application Security: Think Twice Before Placing Football Bets

Have you heard about the vulnerability in the Yahoo! Fantasy Football app? If Knowshon Moreno’s performance on Monday against the Oakland Raiders got you down, you might want to read this warning to fantasy football players: Don’t place any bets this season until you update your Yahoo! Fantasy Football mobile app. A hacker could be manipulating your lineups, putting injured or poor performing players in the weekly lineup while benching top-seeded players on your team – essentially stacking the odds against you.

Oakland Raiders v Denver Broncos

During vulnerability testing we found that a previous version of the Yahoo! Fantasy Football mobile app is vulnerable to session hijacking (video) – the process of authenticating the user and ensuring an attacker isn’t impersonating a user or eavesdropping on a service. The vulnerability allows an attacker to impersonate another player on message boards and manipulate other players’ lineups.

We acknowledge that at least in this case the vulnerability is relatively benign, you can lose your bet of course, but its not the end of the world. However, it is indicative of a larger problem: the general lack of attention paid to security during development and testing. Some of the most common security mistakes made during mobile web app development are related to session management. In most cases, a single vulnerability isn’t a significant liability, but the more mistakes developers make, the easier it is to attack the app. This is the case with Yahoo’s fantasy football application.

It is also concerning that the application went public without proper security testing – which would have uncovered the vulnerability. Oftentimes organizations are in a hurry to deliver mobile apps and sacrifice security as a result.

Finally, as a user of mobile apps, it is worth noting that failing to update your mobile apps in a timely manner puts you at unnecessary risk when vulnerabilities have been fixed in later versions.

About Dan Kuykendall
Dan Kuykendall is the founder and co-CEO at the premier application security solutions provider NT OBJECTives, Inc. Throughout his career, Dan has helped develop advanced dynamic application security testing software, a fundamental aspect to NT OBJECTives’ reputation as a leader in comprehensive web application scanning. Dan has also worked for McAfee’s Foundstone and Fortis, where he founded the U.S. Information Security team. Connect with Dan on Google+

1 Comment on Mobile Application Security: Think Twice Before Placing Football Bets

  1. Who to start and who to sit for Week 13 of fantasy football. All Start ‘em Sit ‘em lists are general guides on how to set your lineup. If you have a specific start ‘em sit ‘em question? Feel free to ask me on Twitter @SidSaysFC .

Leave a comment

Your email address will not be published.