A few days ago, the Vatican spoke about electronic beads, which were called "Click to Pray eRosary." This is a high-tech device that works on a principle similar to fitness trackers. So, the beads track the number of steps taken and the total distance that the user has covered. But it also controls the believer's attitude to the practice of religious rites.
The device is activated when the believer begins to be baptized. In this case, the device is connected to the application with audio instructions that are intended for prayers, there are also photographs, videos, etc. In order that the believer does not get confused, the rosary indicates what prayer was said and how many times. Everything would be fine, but almost immediately after the release of the rosary, an information security specialist hacked , as it turned out, this is not difficult.
By the way, this device is not free at all, the Vatican sells it for $ 110, after activation, the device connects to the Pope's Worldwide Prayer Network.
But, as it turned out, the data of worshipers who use electronic beads can be easy prey for attackers. The problem with the protection of user information was discovered by French information security specialist Baptiste Robert (Baptiste Robert). He cracked the rosary (a strange combination of words, of course - “crack the rosary”) from the Vatican in just 15 minutes. The vulnerability gives an attacker control over the account of the owner of the device.
In order to access your account, you only need to know the user's email address. “This vulnerability is very significant because it allows an attacker to gain control over the account and its personal data,” said Robert.
The Vatican did not give any comments on this issue in the media. However, Robert managed to contact the representative of the Vatican, after which the vulnerability was fixed. As it turned out, the essence of the problem was in the processing of user authentication data.
When a user registered in the “Click to Pray” application, indicating their email address, a message with a PIN code was sent to the account. There was no need to set a password. In the future, it was necessary to log in in this way - a pin was sent to the mailing address, using which the user could start working with the application.
Before there, as the problem was fixed, the application sent a PIN of four characters in unencrypted form. It turns out that when analyzing network traffic it was possible to intercept a pin and log in without problems.
Stylish trendy youth
Robert showed vulnerability to Cnet reporters who created an account specifically to test the problem. The expert gained control over the account, and its creators were thrown out of the account, while a message was displayed that its owner had logged in from another device. The “cracker” could do anything with the user’s account, the access level did not differ from the owner’s access level. So, the account could simply be deleted.
Now this problem does not exist, because, as mentioned above, the Vatican fixed the vulnerability. But there is another interesting feature - the Android application asks for geolocation data and the right to make calls.