A report by the American Consumer Institute Center for Citizen Research (ACI) found that the Vivid Seats app had a number of what it deemed “critical vulnerabilities” due to use of open source code. The report, which examined the ten most popular applications in the main categories available on the Google Play Store found that 105 of the 330 apps had known vulnerabilities.
“The vulnerabilities range from low to critical, and can be exploited to compromise consumer and enterprise devices, to perform data theft, identity theft, fraud or corporate espionage,” according to a post on the survey by Helpnetsecurity.com.
Apps in the ticketing ecosystem reviewed included Vivid Seats, Gametime, Seatgeek, StubHub, and Ticketmaster. Vivid’s app was the only noted in the report as having substantial vulnerabilities per scans done using Insignary’s Clarity scanning software. It “had the highest risk in its category, including 19 critical vulnerabilities,” the report reads. “After retesting the newest software, the Clarity scans showed that the Vivid Seats software was still suffering from the same vulnerabilities.”
Vivid Seats is certainly not alone in carrying such risks, as the report notes. While 32% of the 330 surveyed applications were found to have known vulnerabilities, 43 percent of those were categorized as “high” or “critical” in nature. High and critical vulnerabilities “are more easily exploited and could cause significantly more damage than low and medium vulnerabilities,” the report states.
The report suggested that all companies needed to invest in more resources to find and fix known security vulnerabilities to avoid situations where consumer data is compromised. Ticketing is no stranger to this concept, with Ticketmaster and Ticketfly both experiencing high profile breaches this year alone. More than 26 million users saw personal information compromised in the hack that brought down Ticketfly this spring. Personal and payment information was breached for an estimated 40,000 Ticketmaster users in the UK this summer, which could bring with it major fines due to the new GDPR regulations overseas.
Neither of those incidents was known to have involved an exploit within an application system, but the message to all e-commerce companies is clear regarding the increasing threats from bad actors related to any secured system.
“It is imperative that apps providers address [known security flaws] to prevent consumer devices from being compromised and to protect the public against malicious online activity, loss of personal and company information, and identity theft,” the report says in its closing. “Apps providers need to develop best-practices now that will reduce these risks, or it will likely face a backlash from the public and policymakers.”