A vulnerability in Sky Go app exposes session data including usernames

  • The Sky Go app performs several requests over plain HTTP, any information sent via these requests are not encrypted.
  • Attackers exploiting this vulnerability and gaining access to the requests via MitM attacks could gain access to victims’ usernames and session data.

A security researcher Sean Wright uncovered a vulnerability (CVE-2018-18908) in the Sky Go Windows desktop application that relates to the transfer of data in plain text. This vulnerability in the Sky Go application performs several requests in plain HTTP. Any information sent via these requests is not encrypted or protected.

Since the data is unencrypted, there are chances for attackers to perform Man in the Middle (MitM) attacks to monitor unencrypted data flows and tamper communication channels or steal data.

Sky Go usernames are at risk

  • Once the Sky Go application is installed and run, it performs several requests over plain HTTP.
  • Sky Go usernames are present in the requests which are performed over plain HTTP.
  • When attackers gains access to these requests via MitM attacks, they could gain access to victims’ usernames.

However, these requests that are performed over plain HTTP could also contain other sensitive session information.

Vulnerability fixed or not?

Wright described in his blog that he first discovered the vulnerability on 22, May 2018, and immediately reported the vulnerability to Sky via email. Sky acknowledged the email and stated that it is investigating the issue. On 8, June 2018, Sky told Wright that the issue has been fixed.

However, in September, Wright requested an update for the fix. To which, Sky informed Wright that the fix will be released as part of their release schedule and they would send confirmation once the fix had been released.

After this, Wright did not receive any further update from Sky. Later, Wright publicly disclosed the vulnerability on January 19, 2019.

“Given the need for companies to move to HTTPS this issue still highlights that even larger companies are still lagging behind, as well as dragging behind when it comes to resolving these issues,” Wright told ZDNet.

“Hopefully by publicly highlighting some of these issues we can hopefully get the visibility into these type of issues and get companies to finally start paying the appropriate attention to them,” Wright concluded.