When you go to a security conference, and its mobile app leaks your data

Enlarge / Screenshots of the RSA Conference application from the Google Play Store. The app's Web interface leaked attendee data when supplied with a token obtained by registering the app. (credit: Google Play Store )

A mobile application built by a third party for the RSA security conference in San Francisco this week was found to have a few security issues of its own—including hard-coded security keys and passwords that allowed a researcher to extract the conference's attendee list. The conference organizers acknowledged the vulnerability on Twitter, but they say that only the first and last names of 114 attendees were exposed.

pic.twitter.com/QzTjOvMhSi

— RSA Conference (@RSAConference) April 20, 2018

The vulnerability was discovered (at least publicly) by a security engineer who tweeted discoveries during an examination of the RSA conference mobile app, which was developed by Eventbase Technology. Within four hours of the disclosure, Eventbase had fixed the data leak—an API call that allowed anyone to download data with attendee information.

If you attended #RSAC2018 and see your first name there - sorry! pic.twitter.com/YrgZo6jHDu

— svbl (@svblxyz) April 20, 2018

Accessing the attendee list required registering an account for the application, logging in, and then grabbing a token from an XML file stored by the application. Since registration for the application only required an email address, anyone who could dump the files from their Android device could obtain the token and then insert it into a Web-based application interface call to download attendee names. While the SQLite database downloaded was encrypted, another API call provided that key.