Official Black Hat USA App Allows Spying, Attendee Impersonation

BlackHatAh, the irony: As the security community gears up for Black Hat USA 2016, a flaw in the official conference app enables attackers to become anyone or spy on attendees.

Conference attendees can install the app on their mobile devices to browse the conference’s agenda, get exhibitor info, message attendees, schedule events they will attend and participate in a conference-wide Twitter-like activity feed. According to Lookout Security, a flaw opens the door to attendee impersonation—so users should be cautious of any activity or messages that are posted or received within the app.

“While investigating both the iOS and Android versions of the Black Hat USA 2016 app, we discovered that a user could register using any email address they want (as long as it hasn’t already been used to register with the app previously),” explained Lookout researcher Andrew Blaich, in a blog. “This includes any email address, whether or not the person signing up owns the email address. It doesn’t even matter if the email address exists at all.” Further, to log in, the Black Hat app does not require confirmation; the user is immediately logged into the app after typing in any email address.

Read more at
http://www.infosecurity-magazine.com/news/official-black-hat-usa-app-allows/