Dive Brief:
-
The app for this year’s RSA Conference in San Francisco had a critical flaw that left user data compromised, reports CyberScoop. A security researcher disclosed the flaw on Twitter.
Hi #RSAC2018. pic.twitter.com/9y1sDK723B
— svbl (@svblxyz) April 19, 2018 -
The user database was found from an unsecured API that was accessible through "credentials hard-coded into the app," according to the report. In 2014, a similar flaw in the conference's app left the attendees' titles, employers and nationality vulnerable.
-
Of the tens of thousands of attendees, only 114 were victims of the data leak, according to RSA's event staff. The flaw has since been remedied and the incident has been "contained."
— RSA Conference (@RSAConference) April 20, 2018
Dive Insight:
RSA is a conference designed to inform industry professionals about the best cybersecurity practices. Bringing together cybersecurity experts from around the world, some researchers use the conference as a security education playground. For example, the conference Wi-Fi is available through an open, unsecured network, which RSA, Cisco and AMP Threat Grid glean data from for an "educational demonstration on a Working SOC."
Other security vulnerabilities, however, were not planned. In an ironic data breach, the conference itself failed a basic security measure.
When the right privacy and authentication measures are in place, APIs are used for granting specified personnel access to data. APIs provide a very useful repository for partners or developers within an organization.
In this case, the flaw was not believed to be used for malicious intent. Instead, the researcher behind the flaw seemed to just be pointing it out.