Rosary prayer

Vatican Smart Rosary app hacked 15 minutes after launch

Earlier this month, the Vatican unveiled a wearable eRosary that tracked prayer progress and required users to make the sign of the cross to activate it.

It comes with a dedicated app… which was hacked within 15 minutes of going live.

Fortunately, this major security flaw was discovered by French security researcher Baptiste Robert, rather than someone with more nefarious motives.

Robert told CNET that the flaw allowed someone to access a user’s “Click And Pray” account, as well as their personal information, because of how login credentials work.

The app requires an email to register, but issues a PIN to use for login rather than a password.

However, the app sent this PIN request over its network. This means that if someone looked at the network traffic, they could see the PIN response sent by email.

To make matters worse, if someone intercepted the PIN and used it to log into a user’s account, the app would log the original user out of their own device.

The flaw also made it easy for people to request new PINs, which Robert demonstrated to CNET.

Accessing someone’s Click And Pray account gave a hacker access to the user’s personal information such as birthday, gender, height, and weight, as well as saved information such as the number of steps taken, the distance covered and the prayer times.

They could also delete the account from inside the app.

Given that the app also asks for location data and call authorization, this is an alarming amount of information to be so readily available to someone looking to phish for user information. .

Fortunately, a patch for this security flaw has since been released.

Still, it’s an important lesson for apparel and app companies to take away. As technology and people become more connected, the need for airtight security to protect their information must be at the forefront of development.

[CNET]