Internet Security Conference Found to Have Exposed Attendees Data

The RSA conference app was shown to have serious security flaws that exposed conference attendees personal data.

| Apr 23, 2018 12:11 PM EST

Created: Apr 23, 2018 12:11 PM EST

A conference about cyber-security has admitted that the names of its conference attendees were exposed due to a security flaw. A security engineer poked around in the conferences app only to discover that it had limited security that allowed him to access the names of people attending the conference.

Breach accessed through App API

Generously, Svbl tweeted out the steps he took to access the information and immediately alerted organizers to the weakness. Svbl said the database was discoverable via an unsecured API that could be accessed via credentials hard-coded into the app.

RSA immediately fixed the problem but they were coy about admitting that the flaw was a pretty obvious oversight for anyone in the business. The conference responded with a statement saying:

"Our initial investigation shows that 114 first and last names of RSA Conference Mobile App users were improperly accessed. No other personal information was accessed, and we have every indication that the incident has been contained."

For many in the industry, this response wasn’t good enough. The RSA website describes themselves saying, “Information is power. And wherever there’s power, there are people looking to steal it. But that’s also where you’ll find us. We’re RSA Conference. And we’re here to stand against cyberthreats around the world.”

Not the first data breach for RSA

Other Twitter users were quick to point out that the RSA had a similar security breach in 2014 when all the attendees names were able to be downloaded from the conferences app into SQLite DB. The conference this time, were lucky that svbl seemed to be poking around with the best of intentions.

Most Popular

This isn’t surprising. Let me remind you of the RSA Conference 2014 app that downloaded all attendees’ names into SQLite DB. https://t.co/96K4pyjPsr https://t.co/icTAUuEOtz
— Ming Chow (@0xmchow) April 19, 2018

"[I] only pulled a sample of data (~100 records) before I reported it to RSA directly and as you saw they fixed it very quick (which is awesome)," the researcher told media. SVBL confirmed that the method he had used to access the data was no longer available.

‘Thanks to @EventbaseTech / @RSAConference for fixing the data leak so quick! That is a great response time! Can confirm that the attendee data is not accessible anymore through the method I discovered,’ he Tweeted.

The conference which boats it has over 50,000 attendees will want to ensure it tightens up security before its next event which will be held next March in San Francisco. The discussion on Twitter regarding the breach continues.

The original friendly hacker who discovered the problem tweeted yesterday that they had been getting a huge amount of requests for the data being accessed. "I'm getting a surprising amount of people asking for a copy of the "RSA Attendee Data". In the spirit of full disclosure, I decided to publish everything here:’ he says.

I'm getting a surprising amount of people asking for a copy of the "RSA Attendee Data". In the spirit of full disclosure, I decided to publish everything here: https://t.co/Hi80YmXQ8M - Enjoy!
— svbl (@svblxyz) April 21, 2018

Another Twitter users says they had submitted a paper to the conference about private keys in Android apps. They Tweet, ‘I assume that it was rejected because it couldn't possibly be a relevant problem that affects people.’

It's sort of funny that the talk I submitted to @RSAConference this year was about private keys in Android apps. I assume that it was rejected because it couldn't possibly be a relevant problem that affects people.https://t.co/d5XnFfVabf pic.twitter.com/8t5N8XoIH2
— Will Dormann (@wdormann) April 20, 2018

Via: Mashable