An application for the Cirque du Soleil show, Toruk – The First Flight, is reportedly vulnerable due to a lack of focus on security according to a blog post from researchers at ESET.
The show, which had its final night in London on June 30th, encouraged users to download the app so they could enhance their evening with content such as backstage videos and images.
The app also synchronised devices with the performance so users could experience audio-visual effects based on their seat location.
However, the app reportedly suffers from a lack of authentication. Using the app would allow operators to issue a series of commands to devices via the open port 6161, but the lack of authentication could have also allowed others on the same public Wi-Fi network the same level of access. The ESET blog post reported that others could ‘scan the network for the IP addresses of devices with an open port 6161, and then send their own admin-style commands to those devices.’
Statistics pulled from Google Play showed that the app had been downloaded more than 100,000 times but it has now been removed from marketplaces.
Cirque du Soleil commented: “Cirque du Soleil has not yet received any notification from its users that they have been potentially affected by the vulnerability issues of the TORUK mobile application.”
Users that have the app still downloaded are still vulnerable so should uninstall it as soon as possible.
Ensuring your device’s security when downloading apps can be a bit of a juggling act for users. The Cirque du Soleil app was available from an official application store, but the NCSC would still encourage users to only download apps from these official stores because issues and vulnerabilities are more likely to be found and resolved. You should also be aware of what you’re allowing an app access to on your device (for example, your camera, contacts etc) and make a judgement call based on whether you are comfortable with that.