Rosary app

Vatican launches smart rosary – complete with brute force flaw – Naked Security

At one point most software developers probably clicked “run”, crossed their fingers and prayed, but last week the Vatican took it to a whole new level. He released his new digital rosary – with a mind-boggling logic bug.

Deciding that the 21st century could be a nice place to visit, the Vatican started by testing all of this wearable technology with an electronic rosary. It’s called the Click to Pray eRosary and it targets “the peripheral borders of the digital world where young people live.” (Vatican News actually talks like this.)

Traditional rosaries are meditative beads that you use to count multiple prayers, and they’ve been around since at least the 12th century, according to scholars. Wearable like a bracelet, the new electronic version, released on October 15, comes to life when users activate it by stroking its tactile cross.

The $110 device syncs with Click to Pray, which is the official prayer app of the Pope’s Worldwide Prayer Network. It tracks user’s progress as they work on different sets of themed prayers. Oh, it also tracks your steps, too, for those who want to exercise both body and mind.

Unfortunately, it seems that holy software developers are as fallible as the rest of us. Two researchers noticed flaws in Click to Pray that leaked sensitive information.

In a blog post Last Friday, Fidus Information Security revealed a brute force flaw in the app’s authentication mechanism. It lets you log in via Google and Facebook – no problem there – but it was the alternative that caused the problem: access with a four-digit PIN.

When a user resets their account using the Click to Pray app, they use an Application Programming Interface (API) to make the request to the server, which then sends the PIN to the email of the user. The server also returns the PIN in its response to the API request, which means someone accessing the API directly could get the user’s PIN without having access to their email.

Fidus said:

Armed with this, we can simply log into the app with the provided PIN, compromising the account with minimal effort. The account contained: Avatars, phone numbers, height, weight, gender and date of birth.

There’s also another problem with the system, the company explained: the API doesn’t limit the number of attempts you can make to log in with the PIN. Because we’re talking numeric numbers here rather than alphanumerics, that’s 10^4, or 10,000 attempts. A simple Python script could run through them in no time.

Security researcher Baptiste Robert (aka Elliot Alderson) also discovered and reported the bug, tweeting responsibly after the Vatican released a patch:

Vatican priest Father Robert R. Ballecer thanked him publicly:

The Vatican and its developers moved fairly quickly to resolve the issues when Fidus contacted them, though they moved in mysterious ways. Rather than completely removing the PIN from the API response, they simply lengthened it, doubling the number of digits to eight.

Fidus replied

There doesn’t seem to be a direct correlation between the new 8-digit PIN and the correct 4-digit PIN sent via email. It is likely that the data returned is not random but rather obfuscated although it has not been possible to reverse engineer the algorithm used…yet.

A Vatican spokesperson also reportedly said the brute force issue had also been resolved.