A “legacy system” was to blame for exposing the contact information of attendees of this year’s Black Hat security conference.
Colorado-based pen tester and security researcher who goes by the handle NinjaStyle said it would have taken about six hours to collect all the registered attendees’ names, email and home addresses, company names and phone numbers from anyone who registered for the 2018 conference.
In a blog post, he explained that he used a reader to access the data on his NFC-enabled conference badge, which stored his name in plaintext and other scrambled data. The badge also contained a web address to download BCard, a business card reader app. After decompiling the BCard app, the researcher found an API endpoint in its code, which he used to pull his own data from the server without any security checks.
By enumerating and cycling through unique badge ID numbers, he was able to download a few hundred Black Hat attendee records from the server. The API was not rate limited either at all or enough to prevent the mass downloading of attendee records, the blog post said.
Security staff at BCard disabled the legacy system’s API within a day of his disclosure, which the researcher later confirmed as fixed.
Black Hat confirmed the badge vulnerability in an email to TechCrunch. “Thanks to them for disclosing this promptly and responsibly to our technology partner, who addressed the vulnerability immediately,” said a spokesperson. “We’re working with our partner to ensure this isn’t an issue in the future.”
INT International, which owns BCard, did not immediately respond to a request for comment.
Although the data exposure was limited to non-sensitive personal information, the fallout is embarrassing for the world’s most popular security meetup where maintaining strong “opsec” is paramount. Not only do security researchers, hackers and vendors attend the conference, law enforcement and federal agents also attend.
It’s not the first time a security conference was hit with a security snafu. Earlier this year, the official app for the RSA Conference leaked more than 100 attendee records.
Updated at 1:20pm ET: with statement from Black Hat.