Naked Security Naked Security

Vatican launches smart rosary – complete with brute-force flaw

Now fixed, the Vatican's new fitness-and-prayer eRosary and its accompanying app, Click to Pray, were found to have a serious privacy bug.

At some point, most software developers have probably hit ‘run’, crossed their fingers and prayed, but last week the Vatican took it to a whole new level. It released its new digital rosary – complete with show-stopping logic bug.

Deciding that the 21st century might be a nice place to visit, the Vatican started by testing out this whole wearable technology thing with an electronic rosary. It’s called the Click to Pray eRosary and it targets “the peripheral frontiers of the digital world where the young people dwell.” (The Vatican News actually talks like this.)

Traditional rosaries are meditative beads that you use to count off multiple prayers, and they’ve been around since at least the 12th century, according to scholars. Wearable as a bracelet, the new electronic version, released on 15 October, springs into life when users activate it by stroking its touch-sensitive cross.

The $110 device syncs with Click to Pray, which is the official prayer app of the Pope’s Worldwide Prayer Network. It tracks the user’s progress as they work through different sets of themed prayers. Oh, it also tracks your steps, too, for those that want to exercise both body and soul.

Unfortunately, it seems that holy software developers are as fallible as the rest of us. Two researchers noticed flaws with Click to Pray that divulged sensitive information.

In a blog post last Friday, Fidus Information Security exposed a brute-force flaw in the app’s authentication mechanism. It lets you log in via Google and Facebook – no problem there – but it’s the alternative that caused the issue: access with a four-digit PIN.

When a user resets their account using Click to Pray’s app, it uses an application programming interface (API) to make the request to the server, which then sends the PIN to the user’s email. The server also returns the PIN in its response to the API request, meaning that someone accessing the API directly could get the user’s PIN without having access to their email.

Fidus said:

Armed with this, we can simply log in to the application with the provided pin compromising the account with minimal effort. The account contained: Avatars, phone numbers, height, weight, gender and DOB’s.

There’s also another problem with the system, explained the company: The API doesn’t limit the number of attempts that you can make to log in with the PIN. Because we’re talking numerical digits rather than alphanumerics here, that’s 10^4, or 10,000 attempts. A simple Python script could rattle through those in short order.

Security researcher Baptiste Robert (aka Elliot Alderson) also discovered and reported the bug, tweeting about it responsibly after the Vatican had issued a fix:

Vatican priest Father Robert R. Ballecer thanked him publicly:

The Vatican and its developers moved pretty quickly to fix the issues when Fidus contacted them, although they moved in mysterious ways. Rather than just taking the PIN out of the API response altogether, they just made it longer, doubling the number of digits to eight.

Fidus responded:

There doesn’t seem to be any direct correlation between the new 8 digit PIN and the correct 4 digit PIN which is sent via e-mail. It is likely the data returned is not random but rather is obfuscated although it has not been possible to reverse engineer the algorithm used… yet.

A Vatican spokesperson also reportedly said that the brute-forcing issue has been solved too.