Flash Seats iOS app “failing” to protect user data, say experts

Flash Seats, the AXS-owned digital ticketing system, has been accused of putting users’ personal data at risk due to flawed security.

A vulnerability advisory by the CERT Coordination Center (CERT/CC) at Pittsburgh’s Carnegie Mellon University’s Software Engineering Institute said Flash Seats’ iOS app is vulnerable to man-in-the-middle attacks as it is “failing” to properly validate SSL certificates provided by HTTPS connections. The problem is evident in 1.9.51 and earlier versions of the app.

CERT/CC said it is currently unaware of a practical solution to the problem and told consumers “do not use affected versions of the application”. It recommended that users wishing to access the app should avoid using public WiFi and other untrusted networks, and instead consider using the Flash Seats website.

Flash Seats’ partners include the NBA’s Cleveland Cavaliers and Utah Jazz, as well as the NFL’s Detroit Lions, several MLS teams and a host of major North American venues.

“An attacker on the same network as the iOS device may be able to view or modify network traffic that should have been protected by HTTPS, which may lead to the exposure of sensitive account information, including login credentials,” said CERT/CC in a statement.

“The features and services provided by the application are likely accessible via the Flash Seats web site. By using a web browser to access those resources, you may avoid situations where SSL is not validated.”

Flash Seats did not immediately reply to a request for a response to CERT/CC’s assessment.