Popular organizations and networks including CBS – because of the sheer size of their company – are expected to embrace best practices when it specifically comes to security. Or perhaps we are only expecting too much from them, because just recently the users of CBS’ sports app were disillusioned when they learned that their personal data were transmitted with no encryption in place.
It is an alarming truth that millions of users have to face, despite what seems to be a negligence on the part of the companies no matter the urgency of the issue. Security researchers at Wandera, which examined sports apps in February, were the first to discover the poor encryption in the CBS app.
CBS was, fortunately, quick to fix the vulnerability in its Sports app, preventing what could been an opportunity for man-in-the-middle attackers and a massive case of data breach. Wandera revealed that the CBS Sports app would send user names, email addresses, account passwords, dates of birth, and zip codes over an unencrypted connection to its server when a person signs up for the app. That means those pieces of sensitive information are being transmitted in clear text.
The vulnerability was spotted by chance when security researchers at Wandera observed an exponential increase in traffic through the CBS Sports app. That was when they discovered that there was poor encryption in place, not only for the Android version of the app, which is normally the target of massive cyber attacks, but also the iOS version, which is deemed more secure than Android platforms.
The attackers have probably been waiting for the right timing to launch the attacks because the bug was discovered at a time when NCAA basketball tournament was heating up. Using the CBS Sports app, basketball fans will be able to monitor the scores of their favorite teams. It is alarming in that more than 10 million Android users have so far downloaded the app, though it remains unclear how many iOS users have installed the app.
But it is hard to excuse CBS for not encrypting the information of users at a time when encryption is of utmost importance. It is most alarming because email addresses and passwords were sent to the company’s servers in plain text. It was only after Wandera uncovered the flaw that CBS took to the task of adopting the HTTPS protocol.
The problem with most companies is that they are more concerned with reaching the market than building security first into their products at the production level.