CNET también está disponible en español.

Ir a español

Don't show this again

CBS Sports app, mobile site get fix after leaving users unprotected

Unencrypted names, passwords and other info passed freely over the Web. CBS fixed the flaw.

The flaw in the CBS Sports app didn't lead to a breach of user data, but could have been exploited by hackers while it was still active.

Screenshot by Laura Hautala/CNET

CBS Sports Digital let its defense slide.

Both the app and mobile website collected registering users' names, passwords, dates of birth and other personal information, and then sent that data unencrypted over the Internet to CBS Sports Digital's servers, said cybersecurity company Wandera, which sells products to protect mobile phones from hackers.

That's sort of like running toward the end zone without a bunch of linemen to deflect the opposing team.

The problem has been fixed, according to CBS Sports Digital, which said in a statement that user data wasn't breached as a result of the flaw. (Both CBS Sports Digital and CNET are part of CBS Interactive, the online division of CBS.)

"Our internal teams are rigorous about monitoring our platforms for any potential security issues," the company said. "We take issue with outside companies publicizing the security operations of other firms for their own purposes rather than user protection."

The sports app, which CBS used to live-stream the Super Bowl in February, surged in popularity in March after the release of a new version that helped fans track the NCAA men's basketball tournament. According to app-tracking website Apptopia, the CBS Sports app was downloaded just under 300,000 times last month.

But its vulnerability indicates a larger issue: Companies don't always give security its due when it comes to mobile services, said Michael Covington, a threat researcher with Wandera. "That's where it starts to fall apart," he said.

That's why Covington advises you to think about the information you're sharing, assuming companies give you a choice. "Update your passwords and, if you don't think they need your postal code, take it off your profiles," he said. Or to mix metaphors, don't give hackers an easy slam dunk.

Close
Drag
Autoplay: ON Autoplay: OFF