Researchers found vulnerabilities in the eRosary smart rosary, which the Vatican developers had previously introduced.
The creators of the product did not protect user accounts from third-party interference and left attackers with access to private information.“It took just 10 minutes to find data-divulging demons corrupting Pope’s Click to Pray eRosary app. Vatican coders exorcise API gremlins but, we must confess, they missed one little monster. Exclusive The technology behind the Catholic Church’s latest innovation, an electronic rosary, is so insecure, it can be trivially hacked to siphon off worshipers’ personal information”, — ironically say Register journalists.

Literally the day after the product was released, experts found serious security problems in the program. Infosec bods at UK-based Fidus Information Security quickly uncovered flaws in the backend systems used by the Click to Pray app, which is available for iOS and Android. The security vulnerabilities are more embarrassing than life-threatening.
Read also: Due to vulnerability in Twitter API, thousands of iOS apps are under attack
As it turned out, the developers did not limit the number of failed login attempts in Click To Pray. This allowed the cracker to pick up a four-digit PIN code, which is used for authorization in the application.
This combination of numbers could also be obtained through an API request to the backend server at the victim’s email address.
As a result, the cracker gained access to the Click To Pray profile, where the user’s age, height and weight are stored, and can see his photo. An attacker could delete an account and compromise new accounts, if they are registered at a famous to the device email address.
“The Register set up a dummy account on the app, using the name Satan, and, sure enough, it was hijacked within minutes by the Fidus team. While accounts do not store anything too sensitive, such as financial information, they do contain personally identifying data – such as folks’ names and physical descriptions. In countries like China, where Catholics aren’t too popular, this sort of data could be damaging if exposed”, — report journalists of The Register.

Father Frederic Fornos, the International Director of Pope’s Worldwide Prayer Network, told that as soon as he was alerted to the security weaknesses by Fidus on Thursday, he put Vatican coders on the job to fix it, and pledged to, miracles upon miracles, have the holes patched over within 24 hours.
At the time of publication, the developers fixed the detected bugs.