The Flash Seats Mobile App for iOS, a sports and entertainment ticket management app, is vulnerable to man-in-the-middle attacks due to improper validation of SSL certificates provided by HTTPS connections. According to a vulnerability advisory by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University's Software Engineering Institute, there is no current patch.
Attacks who exploit this flaw, which is officially designated CVE-2017-3190, may be able to obtain sensitive account information such as login credentials, the CERT/CC warned on Wednesday.
To overcome this problem, the CERT/CC recommends using Flash Seats' website version instead of its mobile app. Users who risk using the app should at least avoid using public WiFi and other untrusted networks.
Will Dormann, a vulnerability analyst the CERT/CC, is credited with discovering the vulnerability.