Vatican's wearable rosary gets fix for app flaw allowing easy hacks

Are you there, God? It’s me, a serious security flaw.

Alfred Ng Senior Reporter / CNET News

Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.

See full bio

Alfred Ng

Oct. 18, 2019 4:11 p.m. PT

2 min read

The eRosary app had a security flaw that allowed potential hackers to log in to anyone's account just by knowing the email address.
Vatican News

The road to internet-connected salvation is paved with cybersecurity issues. The Vatican discovered that Thursday, after a security researcher disclosed a severe vulnerability with the "Click to Pray" eRosary app.

On Wednesday, the Vatican announced its $110 wearable rosary, an internet of things device that syncs with an app from the Pope's Worldwide Prayer Network. One advantage of IoT devices is that they open up a new way for people to interact with resources. With the eRosary, the Vatican said, people can get different prayers every day, as well as reminders on when to pray.

The downside of IoT devices is that they're ripe for security issues. Lawmakers in the US have consistently called out poor security practices on connected gadgets, warning that they could lead to a flood of vulnerable devices.

French security researcher Baptiste Robert found a significant flaw in the Vatican's app within 15 minutes. The vulnerability would have let a hacker take over a person's account, just by knowing the potential victim's registered email address.

"This vulnerability is very severe as it allows an attacker to take over the victim's account and get his personal information," Robert said in a message.

The Vatican didn't respond to a request for comment. Robert said he reached out to the Vatican on Wednesday and the security issue has since been fixed.

The flaw worked because of how the app handled login credentials, Robert said.

When you register for the "Click to Pray" app, you sign up with an email, and instead of setting a password, the app sends a PIN code to your inbox. You log in like this every time.

Before the fix, the app was sending out requests to its server to email you the four-digit PIN. The issue was that PIN code itself was also sent on the network. Anyone analyzing the network traffic could have seen the response with the PIN sent.

Robert demonstrated this vulnerability with an account we created on the app. Every time he gained access to the account, the app logged me out, telling me I was logged in on another device. It also sent an email with a new PIN code I didn't request.

Once he had access, Robert was able to do anything I could on the account. He saw what I set as my gender, height, weight and birthday, as well as the cat photo I used for my avatar. He also deleted my account and was able to access a second account that I had made right after.

The app logs other personal information as well, like how often someone prays, and it works as a fitness tracker. The rosary keeps track of how many steps a person takes throughout the day and distance traveled.
The Android app also asks for access to location data and permissions to make calls.