A conference about cyber-security has admitted that the names of its conference attendees were exposed due to a security flaw. A security engineer poked around in the conferences app only to discover that it had limited security that allowed him to access the names of people attending the conference.
"[It] was the API from http://eventbase.com that was used by the RSA conference app," the researcher, who goes by svbl, explained to media. "[The] vulnerability was on event base' side."
Breach accessed through App API
Generously, Svbl tweeted out the steps he took to access the information and immediately alerted organizers to the weakness. Svbl said the database was discoverable via an unsecured API that could be accessed via credentials hard-coded into the app.
RSA immediately fixed the problem but they were coy about admitting that the flaw was a pretty obvious oversight for anyone in the business. The conference responded with a statement saying:
"Our initial investigation shows that 114 first and last names of RSA Conference Mobile App users were improperly accessed. No other personal information was accessed, and we have every indication that the incident has been contained."
For many in the industry, this response wasn’t good enough. The RSA website describes themselves saying, “Information is power. And wherever there’s power, there are people looking to steal it. But that’s also where you’ll find us. We’re RSA Conference. And we’re here to stand against cyberthreats around the world.”
Not the first data breach for RSA
Other Twitter users were quick to point out that the RSA had a similar security breach in 2014 when all the attendees names were able to be downloaded from the conferences app into SQLite DB. The conference this time, were lucky that svbl seemed to be poking around with the best of intentions.
"[I] only pulled a sample of data (~100 records) before I reported it to RSA directly and as you saw they fixed it very quick (which is awesome)," the researcher told media. SVBL confirmed that the method he had used to access the data was no longer available.
‘Thanks to @EventbaseTech / @RSAConference for fixing the data leak so quick! That is a great response time! Can confirm that the attendee data is not accessible anymore through the method I discovered,’ he Tweeted.
The conference which boats it has over 50,000 attendees will want to ensure it tightens up security before its next event which will be held next March in San Francisco. The discussion on Twitter regarding the breach continues.
The original friendly hacker who discovered the problem tweeted yesterday that they had been getting a huge amount of requests for the data being accessed. "I'm getting a surprising amount of people asking for a copy of the "RSA Attendee Data". In the spirit of full disclosure, I decided to publish everything here:’ he says.
I'm getting a surprising amount of people asking for a copy of the "RSA Attendee Data". In the spirit of full disclosure, I decided to publish everything here: https://t.co/Hi80YmXQ8M - Enjoy!— svbl (@svblxyz) April 21, 2018
Another Twitter users says they had submitted a paper to the conference about private keys in Android apps. They Tweet, ‘I assume that it was rejected because it couldn't possibly be a relevant problem that affects people.’
It's sort of funny that the talk I submitted to @RSAConference this year was about private keys in Android apps. I assume that it was rejected because it couldn't possibly be a relevant problem that affects people.https://t.co/d5XnFfVabf pic.twitter.com/8t5N8XoIH2— Will Dormann (@wdormann) April 20, 2018