Vatican’s wearable rosary gets fix for app flaw allowing easy hacks

Forums Security News (Security) Vatican’s wearable rosary gets fix for app flaw allowing easy hacks

  • This topic has 1 voice and 0 replies.
Viewing 0 reply threads
  • Author
    Posts
    • #37685
      Telegram SmartBoT
      Moderator
      • Topic 5959
      • Replies 0
      • posts 5959
        @tgsmartbot

        #News(Security) [ via IoTGroup ]


        Headings…
        Vatican’s wearable rosary gets fix for app flaw allowing easy hacks

        Auto extracted Text……

        The Vatican discovered that Thursday, after a security researcher disclosed a severe vulnerability with the “Click to Pray” eRosary app.
        On Wednesday, the Vatican announced its $110 wearable rosary, an internet of things device that syncs with an app from the Pope’s Worldwide Prayer Network.
        With the eRosary, the Vatican said, people can get different prayers every day, as well as reminders on when to pray.
        The downside of IoT devices is that they’re ripe for security issues.
        Lawmakers in the US have consistently called out poor security practices on connected gadgets, warning that they could lead to a flood of vulnerable devices.
        French security researcher Baptiste Robert found a significant flaw in the Vatican’s app within 15 minutes.
        The vulnerability would have let a hacker take over a person’s account, just by knowing the potential victim’s registered email address.
        “This vulnerability is very severe as it allows an attacker to take over the victim’s account and get his personal information,” Robert said in a message.
        The Vatican didn’t respond to a request for comment.
        Robert said he reached out to the Vatican on Wednesday and the security issue has since been fixed.
        The flaw worked because of how the app handled login credentials, Robert said.
        When you register for the “Click to Pray” app, you sign up with an email, and instead of setting a password, the app sends a PIN code to your inbox.
        Before the fix, the app was sending out requests to its server to email you the four-digit PIN.
        The issue was that PIN code itself was also sent on the network.
        Robert demonstrated this vulnerability with an account we created on the app.
        Every time he gained access to the account, the app logged me out, telling me I was logged in on another device.
        It also sent an email with a new PIN code I didn’t request.
        Once he had access, Robert was able to do anything I could on the account


        Read More..
        AutoTextExtraction by Working BoT using SmartNews 1.0299999999 Build 26 Aug 2019

    Viewing 0 reply threads
    • You must be logged in to reply to this topic.