A computer scientist has discovered vulnerabilities in the SkyGo Windows app that would endanger user credentials
The Windows version of the SkyGo app has a security problem. Security expert Sean Wright discovered it by analyzing two versions of the app (1.0.23-1 and 1.0.19-1), but it is not excluded that other versions may also be affected by this vulnerability.
According to Wright, the app performs several requests and data transmissions using the HTTP protocol without any kind of encryption. This means that it is vulnerable and a hacker can use the "Man in the Middle" (MiTM) technique to get hold of confidential user data. This means that a hacker could "get in the middle" of the communication between the app and the servers that transmit the content, being able to read without problems the user's information communicated by the app to the server. The username, for example, would be easily read by the hacker.
The SkyGo Vulnerability
This bug in the SkyGo app was discovered by the researcher on May 22, 2018 and made public on January 19. In all this time, according to the researcher, it does not appear that a more secure version of the app has been released. On June 8, 2018, Sky told Wright that it was working to fix the app, but then in September stated that the patch will only be released in a new version of the app that will be made available in the future and not in a special version made specifically to fix this issue.
"Given the need for companies to move to HTTPS, this issue once again highlights that even the largest companies are lagging behind, as well as falling behind when it comes to fixing these issues," Wright told ZDNet. "I hope that by publicly highlighting some of these issues, we can gain visibility into them and get companies to finally start paying the necessary attention to them.
What is the HTTPS protocol
The HTTPS protocol mentioned by Wright is nothing more than the encrypted version of the old HTTP, thanks to which it is possible to establish more secure communications between computers and devices of various kinds on the Internet. If SkyGo used HTTPS for its communications, a Man in the Middle attack would be much more complex because the hacker would have to be able to decipher the data before being able to read it. Google itself has repeatedly urged website owners to switch to this protocol, and the Chrome browser clearly flags sites that still use the old HTTP protocol with the words "Not Secure" to the left of the URL.