ESPN Fantasy Sports Mobile Applications Vulnerability Exposing Private League User Information

ESPN is known for being the Worldwide leader in sports based out of Bristol Connecticut. They provide many applications to keep their users involved with their favorite sports. One of those is a fantasy hockey mobile application that allows you to manage your fantasy hockey teams from your phone.

I use this app to manage my own fantasy hockey team and it keeps me up to date with my weekly match ups. One night I was curious how the applications worked. Using Burp Suite, we intercepted the requests being made from the app.

When I navigated through the application and analyzed the Burp Suite intercepts I noticed that there was a League ID number that corresponded with my league.

So first thing I did was make a private league with a different email address so I would have a valid league id to test with. I then created some fake entries on the new league. This made it possible to determine how much could be viewed from my original league.

I then signed back onto my original league account and intercepted the GET request being sent from the application when I clicked on message board. I swapped my current league ID with the new league ID I had from the private league I created.

 

I was then able to see the messages on my private league. I did this with everything I could within the application and I found that I could get to all of the information within the private league that I could get to if I was a member of that league. This includes Recent League Activity, League Messages, Announcements, myTeam (for all league members by swapping the Team ID. This contained full name of team owner(s)), Players on each team, Scoreboard, Standing, Teams, Schedule, League Settings, and Waiver Order.

Picture of the Web Application trying to access message board of test team (Functioning properly with proper error message)

WebMessageBoard

Picture of Mobile Application trying to access message board of test team (Not functioning properly)

MobAppMessageBoard

I was not able to make any changes to any team besides my own. Things I tried on my own accounts were…. Drop player for different league, pick up players in different league, trade player for different league, change team name as a different player, write a post in message board as a different player, and reply to a post as a different player.

This vulnerability was not limited to fantasy hockey. By swapping out the “fhl” in the GET request with abbreviations of other fantasy sports leagues I was able to get to other private leagues as well. This was tested by swapping it with “ffl” to get to fantasy football leagues.

 

Disclosure Timeline

10/14/2015: Vulnerability Discovered

10/16/2015: Contacted Dave Carlstrom through Linkedin.

10/16/2015: Received reply from Dave Carlstrom with ESPN email to send vulnerability write up to and then sent write up to email.

10/16/2015: Received reply from Jason Tetlow letting me know he is forwarding the write up to the proper party.

10/28/2015: Received follow up email letting me know that the fixes have been applied and updated. Asked me to verify that everything was fixed.

10/28/2015: Checked application. Emailed Jason back letting him know that there were still vulnerabilities and gave a brief overview.

11/9/2015: Went through application more thoroughly and emailed Jason a write up of vulnerabilities that still existed. (He forwarded this to proper party)

12/8/2015: Checked in with Jason. He said he had not heard anything.

1/4/2016: Sent email to Jason with another detailed write up.

1/4/2016: Jason replied and let me know that the instances I found slipped through the cracks with the last update and the application team was working on a fix.

1/6/2016: Jason emailed me and let me know that they have deployed a fix.

1/7/2016: Checked and let Jason know that people who had publicly available leagues were still vulnerable because I could read the personal messages (Private leagues were secured at this point.)

1/20/2016: Sent them another PoC video and showed ESPN that I could still access private message board of public teams.

2/9/2016: Received an email forwarded by Jason saying that the last reported issue was not a vulnerability but the application was actually functioning properly since the first remediation (not true).

I then checked to see if I could access public teams personal chats and I could no longer do so.

My impression is they wanted to quietly fix the issue without acknowledging that there were still issues after the first fix.

2/9/2016: Emailed Jason back letting him know that the main issues were resolved.

A special thanks goes out to ESPN for fast response times, Adam Logue for helping me find and report the vulnerability, and Jason Tetlow for working with me and keeping me updated through the process.