Pwned while praying – The Vatican’s eRosary had glaring security flaws

Share on facebook
Share on twitter
Share on linkedin
Share on email

Last week we spotted the Click to Pray eRosary for sale online and while it’s a niche item, we can understand the Vatican’s push to become more tech savvy so as to appeal to youngsters.

The eRosary is a rosary but with some decidedly smart features including a six-axis gyro and the ability to pair it with the Click to Pray app.

Despite it coming from the esteemed halls of the Vatican, the eRosary appears to suffer from something many smart devices do as well – security flaws.

UK penetration testers Fidus Information Security discovered that by manipulating the Click to Pray API an attacker could compromise an account with “minimal effort”.

The firm writes that users can log in to the app using Google Authentication, Facebook Authentication or an email with a four digit code instead of a password. If your first thought is that the four digit code is the issue you would be correct.

“When the application requests a PIN to be sent it calls ‘resend_pin’, which sends the pin to the email but catastrophically also returns the PIN the API’s response; making it possible for anybody to obtain the 4 digit PIN being sent WITHOUT e-mail access,” writes Fidus.

The good news is that Click to Pray doesn’t store any financial information. With that having been said, the personal information an attacker could have gleaned is worrying.

For even better news, The Register reports that the Vatican has fixed the problem, sort of.

The fix removes the PIN in the API call but, an attacker can still guess the four digit code as may times as they want as Click to Pray doesn’t appear to have any brute force protection.

For now, the eRosary has one less security flaw. With that having been said perhaps you should opt for a low-tech solution when it comes to saying your prayers. At least that way attackers won’t be able to compromise you while you pray.

[Image – CC 0 Pixabay]

Brendyn Lotz

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.