XSS flaws detected in ESPN ScoreCenter mobile app
XSS flaws detected in ESPN ScoreCenter mobile app

Researchers have discovered two security holes in a sporting mobile app, less than two weeks ahead of one of America's biggest sporting events.

According to Zscaler, a cross-site scripting (XSS) flaw in the app ‘ESPN ScoreCenter' could allow an attacker to access usernames and passwords when users set up their accounts.

This year's Superbowl will be contested between the San Francisco 49ers and Baltimore Ravens on Sunday 3rd February. The research by Zscaler said that a coding error would primarily be a concern for individuals who use the same login credentials for multiple accounts, such as their banks.

Meanwhile, attackers could leverage the XSS bug to conduct a number of malicious actions, including injecting client-side script into web pages, stealing a user's authentication cookie, and bypassing other access controls to gain sensitive user data.

ESPN ScoreCenter is a free app available for Android, iPhone and Windows Phone users, and provides personalised scoreboards and live alerts on sports teams, players and leagues. The vulnerabilities were discovered in version 3.0 of the app.

Michael Sutton, vice president of security research at Zscaler, said: “As with many web apps, when user-supplied content isn't properly sanitised, active content, such as JavaScript can be injected.

“Anyone sniffing traffic on the network would be able to easily steal your username/password. More often than not, when I see this flaw [in mobile apps], it occurs not during a regular login, but rather when you first set up your account and such is the case with ESPN SportsCenter. Once you've created an account, subsequent logins at the regular login page are sent via HTTPS [HyperText Transfer Protocol Secure]. This is not the case, however, when an account is first created, with the username/password sent in clear text.”

In an email to SC Magazine US, an ESPN spokeswoman said the company "immediately began investigating the issue" once it was made aware of the flaws. “It has been resolved,” she wrote.