Leaky API exposes Black Hat attendees’ personal data

Embarrassing breach revealed names, email addresses, phone numbers and more

Leaky bucket

One of the world's biggest cyber security conferences was put in an awkward position after a poorly-secured API enabled a security researcher to download the personal details and contact information of every attendee.

The annual Black Hat conference in Las Vegas is among the most anticipated events in the infosec calendar, with hackers, security researchers and law enforcement officials alike descending on Nevada for a week of demonstrations, hands-on sessions and general security knowledge-sharing.

The nature of the conference, as well as the adversarial relationship between some of the groups in attendance, means that OpSec (or operational security) is a priority for guests at the show. This is precisely why security researcher NinjaStyle was surprised to discover that a flaw had left Black Hat attendee data exposed. 

Like many conferences, the badges issued to Black Hat attendees include an NFC tag, which exhibitors at the show can scan to collect details used for marketing purposes. After investigating this tag, NinjaStyle discovered that it included a link to download business card reader app BCard.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

NinjaStyle downloaded and decompiled the app, and found an API endpoint, which the app used to fetch data from the server. After identifying which portions of the code identified the event ID and the badge ID, he used this data to try and download his information from the BCard server.

"To my surprise, I was able to pull my attendee data completely unauthenticated over this API," he explained in a blog post. "Next, I did some math to determine the feasibility of brute forcing all BlackHat attendees."

"The rate at which we were able to brute force the API would mean that we could successfully collect all BlackHat 2018 registered attendees' names, email addresses, company names, phone numbers, and addresses in only approximately 6 hours."

The issue, which BCard blamed on a "legacy system", has now been fixed, and NinjaStyle noted the quick work of the BCard team, stating that it was resolved "within 24 hours of initial contact".

It should be noted that the breach was not directly due to a lapse in security on the part of Black Hat's organisers and there is currently no indication that this flaw has been maliciously exploited. 

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/business-strategy/public-sector/354608/uk-gov-launches-ps300000-sen-edtech-initiative
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/business-strategy/mergers-and-acquisitions/354602/xerox-to-nominate-directors-to-hps-board-reports
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020