Researchers at Zscaler have uncovered a cross-site scripting vulnerability, and found that passwords were being sent in clear text.
"The mobile application, currently ranked the No. 1 free sports app in the Apple iTunes store, was failing to protect user login credentials, according to San Jose, Calif.-based Zscaler," writes CRN's Robert Westervelt. "The security firm said it also found a cross-site scripting vulnerability, a common Web application flaw."
"An ESPN spokesperson said the issues were resolved after being notified by Zscaler," Westervelt adds.
"Once compromised, an ESPN account offers a potential attacker access to your birth date, as well as complete access to your groups and friends' lists, allowing the attacker to attempt launching fraudulent campaigns on your behalf, such as disseminating links to client-side exploits and malware serving sites, campaigns directly impersonating ESPN, or 'need cash now' type of scams," notes ZDNet's Dancho Danchev.
"It is disappointing to see that the testing performed on apps before they are admitted by Apple to the iTunes store does not even include such basic security tests such as looking for XSS vulns and sending passwords in clear text," writes Zscaler's Michael Sutton.