ESPN ScoreCenter Mobile App Is Full Of Vulnerabilities [Security Test]

One of the most popular mobile applications for iOS devices is the ESPN ScoreCenter app. Unfortunately, it is also an application that is full of security vulnerabilities. While users love receiving live scores, news, videos and alerts to their iPhone and iPad devices, they could also be inviting mobile intruders.

The team at ZScaler recently performed a set of relatively simple tests on the ESPN ScoreCenter app, and they found several key vulnerabilities.

Here are the company’s testing results:

Vulnerability #1 – XSS

While we like to think of mobile apps as native to the mobile OS, ZSaler reveals that that is not necessarily the case. Mobile apps are actually displayed in a Webview control and mixed with native controls. According to ZScaler:

“As with many web apps, when user supplied content isn’t properly sanitized, active content, such as JavaScript can be injected. The included screenshot illustrates a simple alert window being displayed within the application. The vulnerable page also exists on the mobile web version of the app during logout and can be seen in the following sample URL:

http://m.espn.go.com/mobile/apps/reg/login?lang=en&timeOffset=-300&swid=63DBACA2-032F-491E-A28D-1B4835DC14XX&username=%3Cscript%3Ealert(‘test’)%3C/script%3E”

Using XSS attacks could allow hackers to steal a user’s authentication cookie.

Vulnerability #2 – Clear Text Authentication Credentials

Why in the world mobile credentials continue to be passed in clear text is beyond comprehension for most security experts, yet the ESPN ScoreCenter Mobile app chooses to pass information in such a manner. ZScaler notes that in web apps you can usually tell if something is being sent unencrypted. For example, HTTPS is not enabled. With mobile apps, end users are unfortunately blind to warning signs which would only serve to take up valuable screen real estates.

According to ZScaler:

“ESPN ScoreCenter’s flaw – sending your password in clear text. Therefore, anyone sniffing traffic on the network would be able to easily steal your username/password. More often than not, when I see this flaw, it occurs not during a regular login, but rather when you first set up your account and such is the case with ESPN SportsCenter. Once you’ve created an account, subsequent logins at the regular login page (/mobile/apps/reg/loginlanding) are sent via HTTPS. This is not the case however when an account is first created, with the username/password sent in clear text :

http://m.espn.go.com/mobile/apps/reg/createaccount

POST /mobile/apps/reg/createaccount HTTP/1.1
Host: m.espn.go.com
Accept-Language: en-us
Pragma: no-cache
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A551
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://m.espn.go.com/mobile/apps/reg/createaccount
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Cookie: s_vi=62b95c266882437b80b87bd3e078cac5805e20de20a8387999d1c6b02c74a2d6
Proxy-Connection: keep-alive
Content-Length: 329
Origin: http://m.espn.go.com
Accept-Encoding: gzip, deflate

passedSubId=&langCode=&udid=&version=&userAgent…..birthdayYear=1973?

Overal,l the conclusion of the ESPN ScoreCenter tests found that the application is not safe for general use because of numerous easy to correct vulnerabilities in how the application handles mobile data.

Users interested in testing out their other apps for vulnerabilities can try out Zscaler’s free ZAP (Zscaler Application Profiler) service to inspect the application traffic. The application works for both iOS and Google Android based mobile applications.