‘Legacy System’ Exposed Black Hat 2018 Attendees’ Contact Info

An anonymous reader quotes a report from TechCrunch: A “legacy system” was to blame for exposing the contact information of attendees of this year’s Black Hat security conference. Colorado-based pen tester and security researcher who goes by the handle NinjaStyle said it would have taken about six hours to collect all the registered attendees’ names, email and home addresses, company names and phone numbers from anyone who registered for the 2018 conference. In a blog post, he explained that he used a reader to access the data on his NFC-enabled conference badge, which stored his name in plaintext and other scrambled data. The badge also contained a web address to download BCard, a business card reader app. After decompiling the BCard app, the researcher found an API endpoint in its code, which he used to pull his own data from the server without any security checks. By enumerating and cycling through unique badge ID numbers, he was able to download a few hundred Black Hat attendee records from the server. The API was not rate limited either at all or enough to prevent the mass downloading of attendee records, the blog post said. The legacy system’s API was disabled within a day of the disclosure. Black Hat said in a statement: “Thanks to them for disclosing this promptly and responsibly to our technology partner, who addressed the vulnerability immediately. We’re working with our partner to ensure this isn’t an issue in the future.”