Share
Here’s a new adage for 2018: It’s not a true security conference until someone discovers a flaw in the technology used by the conference’s event staff.
A security researcher on Twitter discovered a flaw in the 2018 RSA Conference app Thursday that exposed a database of information tied to conference attendees. The database was discoverable via an unsecured API that could be accessed via credentials hard-coded into the app.
Hi #RSAC2018. 😏 pic.twitter.com/9y1sDK723B
— svbl (@svblxyz) April 19, 2018
If you attended #RSAC2018 and see your first name there – sorry! 😳 pic.twitter.com/YrgZo6jHDu
— svbl (@svblxyz) April 20, 2018
The conference’s event staff confirmed the flaw, saying that 114 attendees had their information leaked.
— RSA Conference (@RSAConference) April 20, 2018
The conference worked with mobile event platform Eventbase to fix the flaw before further damage could be done.
“No other personal information was accessed, and we have every indication that the incident has been contained. We continue to take the matter seriously and monitor the situation,” said Linda Gray Martin, the director and general manager of RSA Conference.
Thanks to @EventbaseTech / @RSAConference for fixing the data leak so quick! That is a great response time! 👍Can confirm that the attendee data is not accessible anymore through the method I discovered.
— svbl (@svblxyz) April 20, 2018
The leak is not the first time the conference has had security issues. The 2014 version of the app had problems including a database leak that exposed the name title, employer, and nationality of anyone that used it.