A “legacy system” was to censure for exposing a strike information of attendees of this year’s Black Hat confidence conference.
Colorado-based coop tester and confidence researcher who goes by a hoop NinjaStyle pronounced it would have taken about 6 hours to collect all a purebred attendees’ names, email and home addresses, association names, and phone numbers from anyone who purebred for a 2018 conference.
In a blog post, he explained that he used a reader to entrance a information on his NFC-enabled discussion badge, that stored his name in plaintext and other scrambled data. The badge also contained a web residence to download BCard, a business label reader app. After decompiling a BCard app, a researcher found an API endpoint in a code, that he used to lift his possess information from a server but any confidence checks.
By enumerating and cycling by singular badge ID numbers, he was means to download few hundred Black Hat attendee annals from a server. The API was not rate singular possibly during all or adequate to forestall a mass downloading of attendee records, the blog post said.
Security staff during BCard infirm a bequest system’s API within a day of his disclosure, that a researcher after reliable as fixed.
INT International, that owns BCard, did not immediately respond to a ask for comment. Black Hat also did not respond when contacted before to publication.
Although a information bearing was singular to non-sensitive personal information, a fallout is annoying for a world’s many renouned confidence meetup where progressing clever “opsec” is paramount. Not usually do confidence researchers, hackers, and vendors attend a conference, law coercion and sovereign agents also attend.
It’s not a initial time a confidence discussion was strike with a confidence snafu. Earlier this year, a central app for a RSA Conference leaked over a hundred attendee records.