Deus ex hackina: It took just 10 minutes to find data-divulging demons corrupting Pope's Click to Pray eRosary app

Deus ex hackina: It took just 10 minutes to find data-divulging demons corrupting Pope's Click to Pray eRosary app

Vatican coders exorcise API gremlins but, we must confess, they missed one little monster....


Exclusive The technology behind the Catholic Church’s latest innovation, an electronic rosary, is so insecure, it can be trivially hacked to siphon off worshipers' personal information.


The eRosary, which went on sale this week at just $109 (£85) a pop, consists of ten metallic beads, and a metal cross that’s Bluetooth enabled, has wireless charging, and is motion sensitive.


When the wearer makes the sign of the cross with the rosary, the accompanying Click to Pray app on their paired phone or tablet activates: this software suggests which rosary movements to make, and which prayers to mumble. It can also be configured to remind believers that it's time for a chat with God.


However, infosec bods at UK-based Fidus Information Security quickly uncovered flaws in the backend systems used by the Click to Pray app, which is available for iOS and Android. The security vulnerabilities are more embarrassing than life-threatening.


'Bodged'


“One of our researchers decided to check out the code, and in just 10 minutes found some glaring issues,” Andrew Mabbitt, founder of Fidus, told The Register on Friday. “It looks like someone’s taken a fitness band app and bodged it together with existing code that leaves any user account hackable.”


The Fidus egghead who found the flaw, Chris, explained there were two key issues. Firstly, when you install the Click to Pray app, you're asked to create an online account. This profile is protected by a four-digit PIN. Yes, just four digits to log into your profile from the Click to Pray app. Th ..