The path to salvation connected to the Internet is paved with cybersecurity problems. The Vatican discovered this Thursday, after a security researcher revealed a serious vulnerability with the “Click to Pray”application.
Wednesday, the Vatican announced its $110 wearable rosary, an Internet of Things device that syncs with an app from the Pope’s Global Prayer Network. One of the benefits of IoT devices is that they open up a new way to interact with resources. With the eRosary, the Vatican said, people can receive different prayers each day, along with reminders on when to pray.
The downside of IoT devices is that they are ripe for security issues. US lawmakers have consistently denounced poor security practices on connected gadgets, warning that they could lead to a flood of vulnerable devices.
French security researcher Baptiste Robert found a major flaw in the Vatican app in 15 minutes. The vulnerability would have allowed a hacker to take control of a person’s account, simply by knowing the potential victim’s registered email address.
“This vulnerability is very serious because it allows an attacker to take control of the victim’s account and obtain their personal information,” Robert said in a post.
The Vatican did not respond to a request for comment. Robert said he contacted the Vatican on Wednesday and the security issue has since been resolved.
The flaw worked because of how the app handled login credentials, Robert said.
When you sign up for the “Click to Pray” app, you sign up with an email, and instead of setting a password, the app sends a PIN to your inbox. You log in like this every time.
Prior to the patch, the app sent requests to its server to email you the four-digit PIN. The problem was that the PIN code itself was also sent over the network. Anyone scanning the network traffic could have seen the response with the PIN sent.
Robert demonstrated this vulnerability with an account we created on the app. Each time he accessed the account, the app logged me out, telling me I was logged in on another device. He also sent an email with a new PIN which I did not request.
Once he got access, Robert was able to do everything I could on the account. He saw what I set as gender, height, weight, and birthday, and the cat photo I used for my avatar. He also deleted my account and was able to access a second account I created right after.
The app also logs other personal information, like how often someone prays, and functions as a fitness tracker. The rosary records the number of steps a person takes throughout the day and the distance covered.
The Android app also requests access to location data and permissions to make calls.