Last week, the Vatican announced it was "eRosary." Naturally, it did not take long for anyone to find a major security flaw.
The Click to Pray eRosary is a smart device that functions as a sort of Fitbit for prayer – and so just as a plain ol 'Fitbit, kind of.
When you wish to pray, you can use the Click to Pray app to pick a particular rosary. According to the Vatican's press release, " The Rosary shows the user's progress throughout the different mysteries and keeps track of each completed rosary." of people around the globe to pray every day. The Click To Pray eRosary is thus intended to accompany him in his Daily and Monthly Intentions in Order to Build a World with the Taste of the Gospel. "
That sounds harmless enough, but at least one security researcher discovered a security flaw in the app over the weekend. Fidus Information Security, a UK firm, has discovered the vulnerability within minutes of the app launch. Security researcher Elliot Alderson presents it to CNET.
Less than 5 minutes into the eRosary application our research team has developed a full account takeover exploit. Can obtain e-mails, phone numbers, height, weight and other personal data. This has been reported. Luckily it's so new it's not in the wild yet. pic.twitter.com/XpqYqDpgC2
̵1; Fidus InfoSecurity (@FidusInfoSec) October 17, 2019
Trouble is, the PIN code can be seen by anyone who could see the app traffic, as it would be contained in the API's response. So you could, in theory, see the PIN without needing access to the email account. Requesting a PIN, so it seems like you've been out of your session in the app. The person who accessed your account would be able to see any information there, including your prayers, your steps, etc.
According to CNET, the issue has now been fixed. Alderson has just been to the Vatican about the issue, but eventually someone listened. The Register reports both Alderson and Fidus reported the vulnerability at about the same time.
Elliot found a vulnerability in a newly-released app loosely connected to my office.
He was patient with our dev team.
He was everything we needed to fix the vulnerability. https://t.co/CVn07tOEDF
– Fr. Robert R. Ballecer, SJ (@padresj) October 18, 2019
I'm sure there's some sort of irony in an item that's supposed to help the faithful feel more comfortable and secure turning out to be the child of insecure itself. Still, it's not that unusual for a wearable, and it's been good to know the situation.