Flaws Found: Social Side of Black Hat App Goes Dark
Who hacks the hackers? As it turns out, just about anyone.
According to CSO Online, the official app for this year’s Black Hat conference contained a number of serious social flaws — worrisome enough that organizers stripped out specific functions before the app went live.
Thankfully, the nearly two-decade old event, which bills itself as “the most technical and relevant global information security event in the world,” had the foresight to disclose the app for testing before a public rollout. Here’s a look at where this Black Hat app went off the rails.
Of Lies and Logins
After some hands-on time with the Black Hat app, researchers from Lookout had some serious concerns about its social functionality.
It all started with the sign-up process, which allowed users to build a profile, browse sessions and send messages to other attendees. The problem: With no verification for email addresses, users could either create entirely fake profiles or sign up using the name of someone else at the conference.
Black Hat App: A Troll’s Playground
For those interested in simply trolling the event, it was possible to enter nonsense email address details and create fake profiles with the photo and corporate details of their choice. Since corporate email addresses often follow a set pattern, there was also potential for impersonation. People could sign up as an attendee who works for a competitor, use their real email address and then send messages to other users or make offensive comments on posts in a conferencewide activity feed.
It gets worse. If users discovered someone else had registered their name and email address, it was possible to ask for a password reset. The problem: This reset didn’t end the session of other users logged in to the same account, meaning that so long as impostors didn’t manually sign out, they retained access to all features and data enjoyed by the legitimate account owner, without that owner’s knowledge.
As a result of this disclosure, the app was pulled; better to release a truncated piece of software than a significant security risk at a conference designed to address these exact types of security issues.
Hats Off to Black Hat
Black Hat continues to do good work in the security community, especially when it comes to tapping the pulse of emergent issues.
As noted by The Wall Street Journal, the conference received 50 proposals this year for talks related to the Internet of Things (IoT). While it only had space for 13, the trend is obvious: A bigger attack surface makes for a more appealing target.
Black Hat has been right before. In 1997, attacking Windows was a key conference focus; a decade later, cracking iPhones was the big draw. This year, there’s talk about proof-of-concept attacks on network-connected vehicles moving at significant speed, unlike last year’s 5 mph maximum.
Nothing Is Safe
But here’s the takeaway, and it’s inherent in the Black Hat ethos itself: Nothing is safe. No device, no app and no data is immune from potential misuse or compromise. Even an application specifically designed for a high-level security conference contained a number of glaring and potentially devastating flaws. Thankfully, organizers practiced what they preach and used critical feedback to pull the plug on social security risks.
Heading to Black Hat this year? Enjoy Vegas and learn more about advanced threats — but for the sake of corporate safety, maybe give the official app a pass.