‘Legacy system’ exposed Black Hat 2018 attendees’ contact information blackhat1

A “legacy system” was to blame for exposing the contact information of attendees of this year’s Black Hat security conference.

Colorado-based pen tester and security researcher who goes by the handle NinjaStyle said it would have taken about six hours to collect all the registered attendees’ names, email and home addresses, company names, and phone numbers from anyone who registered for the 2018 conference.

In a blog post, he explained that he used a reader to access the data on his NFC-enabled conference badge, which stored his name in plaintext and other scrambled data. The badge also contained a web address to download BCard, a business card reader app. After decompiling the BCard app, the researcher found an API endpoint in its code, which he used to pull his own data from the server without any security checks.

By enumerating and cycling through unique badge ID numbers, he was able to download few hundred Black Hat attendee records from the server. The API was not rate limited either at all or enough to prevent the mass downloading of attendee records, the blog post said.

Security staff at BCard disabled the legacy system’s API within a day of his disclosure, which the researcher later confirmed as fixed.

INT International, which owns BCard, did not immediately respond to a request for comment. Black Hat also did not respond when contacted prior to publication.

Although the data exposure was limited to non-sensitive personal information, the fallout is embarrassing for the world’s most popular security meetup where maintaining strong “opsec” is paramount. Not only do security researchers, hackers, and vendors attend the conference, law enforcement and federal agents also attend.

It’s not the first time a security conference was hit with a security snafu. Earlier this year, the official app for the RSA Conference leaked over a hundred attendee records.