After learning about a smartphone app dedicated solely to this week's RSA security conference in San Francisco, I publicly questioned why anyone would install it. After all, RSA's recently discovered history of either deliberately or unknowingly seeding its trusted products with dangerous code developed by the National Security Agency has left many people suspicious.
A day later, researchers have uncovered two vulnerabilities in the app that make it hard for me to resist the urge to say "I told you so." One of them discloses the name, surname, title, employer, and nationality of people who have installed the app, according to Gunter Ollmann, a researcher at security firm IOActive. For reasons unknown, the information resides in an SQLite database file that's bundled with the app. Opening it and reading the contents are trivial.
"I have no idea why the app developers chose to do that, but I'm pretty sure that the folks who downloaded and installed the application are unlikely to have thought that their details [were] being made public and published in this way," he wrote in a blog post published Wednesday morning. "Marketers love this kind of information though!"