BWW Geeks World

Zscaler Uncovers Security Vulnerabilities in ESPN ScoreCenter Mobile App

Related: Mobile Security
Zscaler Uncovers Security Vulnerabilities in ESPN ScoreCenter Mobile App

Zscaler, the leading provider of Security Cloud services for the mobile, social, everywhere enterprise, today revealed that ESPN ScoreCenter, one of the most popular mobile sports apps on the market, has significant security vulnerabilities that could compromise users' mobile devices, including the threat of data theft. The flaws were unearthed using Zscaler Application Profiler (ZAP), the free online tool that makes it easy to assess mobile apps for security risks. ESPN said it is looking into the vulnerabilities in the ScoreCenter app. For more detailed background on this specific mobile app security threat, including a video on how to use ZAP, visit this blog post.

The security vulnerabilities with the ESPN ScoreCenter app highlight a growing security problem as mobile apps proliferate and basic security measures are overlooked in the development process.

"It's important to remember that many mobile apps are not native applications-they're essentially web pages displayed in a WebView control, or even just web content mixed in with native controls," said Michael Sutton, VP, Security Research, Zscaler ThreatLabZ. "As such, vulnerabilities common to web applications can also occur in mobile apps. Users should be aware that such vulnerabilities in mobile apps often remain hidden, as apps don't have the same visual indicators to show that data is being sent insecurely."

First, by displaying basic web content without properly sanitizing user-supplied input, ESPN SportsCenter exposes a cross-site scripting (XSS) flaw. Therefore, active content such as JavaScript can be injected into the app. Second, ESPN SportsCenter passes authentication credentials in clear text when an account is first created. By sending the password in clear text, ESPN ScoreCenter enables anyone sniffing traffic on the network to easily steal that key piece of information.

The flaws were Discovered using ZAP, Zscaler's Application Profiler. ZAP is an easy to use, free online tool where users can search the name of any iOS or Android app, and receive an instant assessment of its security and privacy risks, along with an overall risk score. Users can also use ZAP to scan traffic from an app installed on their device to see whether their own data is being exposed. No security expertise is needed to use ZAP. As more users submit mobile apps for analysis, Zscaler's ThreatLabZ team adds the results to the ZAP database, in effect crowdsourcing the security profiles of thousands of mobile apps.

SOURCE: BUSINESS WIRE ©2014 Business Wire

GEEKS VIDEOS

STAGE TUBE: First Look at Second Episode of Telltale's GAME OF THRONESSTAGE TUBE: First Look at Second Episode of Telltale's GAME OF THRONES VIDEO: Watch President Obama's 2015 State of the Union Speech - LIVE!VIDEO: Watch President Obama's 2015 State of the Union Speech - LIVE! Video: YouTube Stars to Interview President Obama - And You Can Too!Video: YouTube Stars to Interview President Obama - And You Can Too! VIDEO: ELLEN Responds to Accusations of Having 'Gay Agenda'VIDEO: ELLEN Responds to Accusations of Having 'Gay Agenda' VIDEO: Google Jumping More into Education with Google ClassroomVIDEO: Google Jumping More into Education with Google Classroom VIDEO: Nintendo Shows Off New Nintendo 3DS XLVIDEO: Nintendo Shows Off New Nintendo 3DS XL VIDEO: Space Ship? No. D-Link Unveils ULTRA Performance Series of 11AC RoutersVIDEO: Space Ship? No. D-Link Unveils ULTRA Performance Series of 11AC Routers Video: D-Link Launches Industry's First Gigabit PowerLine Kits with MIMOVideo: D-Link Launches Industry's First Gigabit PowerLine Kits with MIMO VIDEO: LaCie Unveils Mirror Portable Hard Drive; Encased in Glass & Designed for LooksVIDEO: LaCie Unveils Mirror Portable Hard Drive; Encased in Glass & Designed for Looks VIDEO: Sneak Peek at the Angry Birds Christmas Special SANTAMENTAL MEVIDEO: Sneak Peek at the Angry Birds Christmas Special SANTAMENTAL ME STAGE TUBE: Samsung Canada Celebrates Launch of the NX1 with Short Film Starring Joseph Gordon LevittSTAGE TUBE: Samsung Canada Celebrates Launch of the NX1 with Short Film Starring Joseph Gordon Levitt VIDEO: Aidy Bryant Reaches 10,000 Tweets from Cut Sketch from Last Week's SNL; Watch Below!VIDEO: Aidy Bryant Reaches 10,000 Tweets from Cut Sketch from Last Week's SNL; Watch Below! Fully Restored Video: Craigslist 1996 Nissan Maxima CompletedFully Restored Video: Craigslist 1996 Nissan Maxima Completed VIDEO: CONAN Meets Digitzed Kevin Spacey in 'Call Of Duty: Advanced Warfare'VIDEO: CONAN Meets Digitzed Kevin Spacey in 'Call Of Duty: Advanced Warfare' VIDEO: It's Here! Starwood's Keyless Entry Launches Today!VIDEO: It's Here! Starwood's Keyless Entry Launches Today! New Video: Immigration Enforcement Needed to Counter Criminal and Terrorist ThreatsNew Video: Immigration Enforcement Needed to Counter Criminal and Terrorist Threats

Subscribe for News & Specials