A vulnerability in the Flash Seats Mobile App for iOS could allow attackers to steal login credentials using a man-in-the-middle attack, the CERT/CC has warned.
A vulnerability in the Flash Seats Mobile App for iOS could allow attackers to steal login credentials using a man-in-the-middle attack, the CERT/CC has warned.

The Flash Seats Mobile App for iOS, a sports and entertainment ticket management app, is vulnerable to man-in-the-middle attacks due to improper validation of SSL certificates provided by HTTPS connections. According to a vulnerability advisory by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University's Software Engineering Institute, there is no current patch.

Attacks who exploit this flaw, which is officially designated CVE-2017-3190, may be able to obtain sensitive account information such as login credentials, the CERT/CC warned on Wednesday.

To overcome this problem, the CERT/CC recommends using Flash Seats' website version instead of its mobile app. Users who risk using the app should at least avoid using public WiFi and other untrusted networks.

Will Dormann, a vulnerability analyst the CERT/CC, is credited with discovering the vulnerability.