Vulnerability in Sky Go could leak user’s sensitive information

A malicious user could perform a Man-in-The-Middle attack to extract user’s sensitive information

Network security and ethical hacking specialists from the International Institute of Cyber Security report the finding of a new vulnerability in the desktop application for Windows Sky Go; the error in question leaks multiple session data, including victim’s usernames.

Sean Wright, specialized in application security, mentions that the vulnerability (tracked as CVE-2018-18908), is related to data transfer in plain text files. Wright claims that the Sky Go usernames and other session data are at risk.

This desktop application performs multiple requests via simple HTTP. Without any encryption in the corresponding place, no information sent through these requests is reviewed or protected, which leaves users widely vulnerable to a cyberattack, especially to Man-in-the-Middle (MiTM) attacks, as the malicious hackers can monitor data streams without encrypting and disrupting communication channels or stealing data.

“When Sky Go is installed and executed, the victim’s username is found in several requests made in plaint HTTP,” reports the network security expert. “If an attacker accesses these requests through a MiTM attack, they might get the victim’s username. In addition, some applications contain information that could be used in other hacking activities”, added Wright. 

The vulnerability was discovered in May 2018 and publicly disclosed on January 2019, receiving a score of 5.4/10 on the Common vulnerability Scoring System (CVSS) scale. The vulnerability affected the versions between 1.0.23-1 and 1.0.19-1 of Sky Go, although the possibility that more versions could be affected has not been ruled out.

Although Wright reported on the vulnerability to Sky teams the same day he discovered it, the vendor took almost a week to answer. In addition, it was claimed that the vulnerability had been corrected on June 8 2018, although Sky released the corresponding update patch until September 2018.

Network security experts are still unaware of whether this flaw has already been corrected; on the other hand, Wright mentions that Sky stopped communicating with him after they allegedly solved the flaw, so he believes the vulnerability has not yet been corrected.

“This incident highlights the fact that some companies, even the largest, are stagnating in the transition to HTTPS,” says Wright. “In the cybersecurity community we hope that public disclosure of this kind of incidents will serve companies to complete this transition shortly,” Wright concluded.