Earlier this month the Vatican unveiled an eRosary wearable that tracked prayer progress and required users to make the sign of the cross to activate.
It comes with a dedicated app… which was hacked within 15 minutes of going live.
The Vatican has just unveiled a 'Click To Pray eRosary' that contains its very own 'smart cross'. It's also being stocked by Acer because sure.Read more
Fortunately, this major security flaw was discovered by French security researcher Baptiste Robert, rather than someone with more nefarious motives.
Robert told CNET that the flaw allowed someone to gain access to a user’s ‘Click And Pray’ account, as well as their personal information, due to the how the login credentials worked.
The app requires an email to sign up, but issues a PIN to use for login rather than a password.
However, the app sent this PIN request over its network. This means that if anyone was looking at the network traffic could see the PIN response that was emailed.
To make matters worse, if someone intercepted the PIN and used it to login a user’s account, the app would log out the original user from their own device.
This flaw also enabled people to request new PIN codes with ease, which Robert demonstrated to CNET.
Gaining access to someone’s Click And Pray account gave a hacker access to the user’s personal information such as birthday, gender, height and weight, as well as the logged information such as the amount of steps taken, distance traveled and times prayed.
They could also delete the account from inside the app.
Considering that the app also asks for location data and call permission – this is an alarming amount of information to be so easily accessible to someone looking to phish for user info.
Fortunately, a fix for this security flaw has since been issued.
Still, it’s an important lesson for wearable and app companies to remember. As tech and people become more connected, the need for airtight security to protect their information needs to be at the forefront of development.