14 DAY TRIAL // The mobile apps used to manage road-side billboards from OutdoorLink, Inc. have been patched to prevent unauthorized access to its products from malicious actors, independent security researcher Randy Westergren reports.
Mr. Westergren's research targeted the SmartLink remote billboard management system, available as a Web service and as Android and iOS apps.
Android app allowed attackers to hijack user sessions
While Mr. Westergren could not access the SmartLink portal, by decompiling the SmartLink Android app, he was able to get more details about the service's inner workings, eventually accessing internal data about OutdoorLink customers and their billboards.
A series of lacking security protocols facilitated Mr. Westergren's intrusion, issues that left the app exposed to hacking from remote parties.
The problems are the lack of HTTPS encryption for authentication procedures, leaving passwords exposed in plaintext while logging in, and the lack of a session state mechanism for the SmartLink API endpoints, which enabled anyone to hijack sessions and interact with the API's data.
As Mr. Westergren explains, "an attacker could completely manage/control any billboard in the system."
API server revealed user passwords in cleartext
Additionally, Mr. Westergren also stumbled upon a bigger security blunder when he accessed the API URL in a browser. The server listed all its content, including the API's source code, and user authentication log files, which stored username & password combos in plaintext, just ready for the taking.
Fortunately for the company's customers, OutdoorLink fully cooperated with Mr. Westergren and patched up all its issues.
Currently, the SmartLink system uses HTTPS for its communications, the API server was completely overhauled, and the company has also recently launched new Android and iOS applications. Mr. Westergren confirmed that all the security issues he uncovered were now all patched.
This is the second major security issue Mr. Westergreen discovered during the past week, having previously "helped" United Airlines patch similar issues in its Android app.
