Vatican City, Oct 21, 2019 / 18:40 pm
Shortly after the new “smart rosary” bracelet was released last week, the Vatican discovered an easy route for hackers to retrieve a user’s personal information. The issue has since been fixed.
Launched on Oct. 15, the device is called an eRosary and allows users to track their prayers, find spiritual resources, and connect with an online prayer community.
A few days after its release, Fidus Information Security, a cyber security consulting service, discovered the device’s weak safety measures, which could have allowed hackers to gain access to a user’s personal information such as their phone number, date of birth, gender, and height.
“One of our researchers decided to check out the code, and in just 10 minutes found some glaring issues,” Andrew Mabbitt, founder of Fidus, told The Register tech site.
According to Fidus, the most glaring concern was a glitch that would allow a hacker to access a user's password - a four-digit PIN - without connecting to the user’s email. The application uses API calls to talk to its backend system. Upon request for a user’s email address, the system would send over a readable text of the user’s PIN through the API.
Father Frédéric Fornos, international director for the Pope's Worldwide Prayer Network, told The Register that coders were placed on the problem immediately after he heard about the issue on Oct. 17. Since then, the issue has been corrected.
According to The Register, Fidus also found that, because there are unlimited password guesses, hackers would be able to retrieve the pin number by “brute forcing” - a means to retrieve hidden information through excessive trial and error. However, a Vatican spokesperson said this issue has also been resolved.
The eRosary was launched under the Pope’s Worldwide Prayer Network and developed by the Taiwan-based tech company GadgTek Inc.