Researchers found vulnerabilities in eRosary smart rosaries from Vatican developers

Researchers found vulnerabilities in the eRosary smart rosary, which the Vatican developers had previously introduced.

The creators of the product did not protect user accounts from third-party interference and left attackers with access to private information.

“It took just 10 minutes to find data-divulging demons corrupting Pope’s Click to Pray eRosary app. Vatican coders exorcise API gremlins but, we must confess, they missed one little monster. Exclusive The technology behind the Catholic Church’s latest innovation, an electronic rosary, is so insecure, it can be trivially hacked to siphon off worshipers’ personal information”, — ironically say Register journalists.

The eRosary smart rosary went on sale October 15 at a price of just over $100. The device, which consists of ten beads and a crucifix, tracks when the user baptizes. At this moment, it launches the Click To Pray application on the phone or tablet to tell the believer the sequence of movements or words in the Rosary.

Literally the day after the product was released, experts found serious security problems in the program. Infosec bods at UK-based Fidus Information Security quickly uncovered flaws in the backend systems used by the Click to Pray app, which is available for iOS and Android. The security vulnerabilities are more embarrassing than life-threatening.

Read also: Due to vulnerability in Twitter API, thousands of iOS apps are under attack

As it turned out, the developers did not limit the number of failed login attempts in Click To Pray. This allowed the cracker to pick up a four-digit PIN code, which is used for authorization in the application.

This combination of numbers could also be obtained through an API request to the backend server at the victim’s email address.

As a result, the cracker gained access to the Click To Pray profile, where the user’s age, height and weight are stored, and can see his photo. An attacker could delete an account and compromise new accounts, if they are registered at a famous to the device email address.

“The Register set up a dummy account on the app, using the name Satan, and, sure enough, it was hijacked within minutes by the Fidus team. While accounts do not store anything too sensitive, such as financial information, they do contain personally identifying data – such as folks’ names and physical descriptions. In countries like China, where Catholics aren’t too popular, this sort of data could be damaging if exposed”, — report journalists of The Register.

Researchers emphasized that while there was no financial data or other important information in the Click To Pray profile, believers in countries where Catholics were harassed could have been hacked. In addition, the application allowed correlating person’s name with his photo and date of birth, so that later he could use it in attacks based on social engineering.

Father Frederic Fornos, the International Director of Pope’s Worldwide Prayer Network, told that as soon as he was alerted to the security weaknesses by Fidus on Thursday, he put Vatican coders on the job to fix it, and pledged to, miracles upon miracles, have the holes patched over within 24 hours.

At the time of publication, the developers fixed the detected bugs.