A major security flaw has been discovered in the Vatican’s eRosary smart device.
Last week, the Vatican announced the launch of its Click to Pray eRosary, a wearable that is dormant until it detects its user making the sign of the cross. It can be held, but can also be worn as a bracelet, and is made up of 10 consecutive black agate and hematite rosary beads, plus a data-storing “smart cross.” Once active, users can opt to pray a standard rosary, a contemplative rosary or a thematic rosary, which will be updated throughout the year. The device logs the user’s progress through each prayer in the rosary prayer cycle and keeps track of each rosary completed. The smart rosary, which retails for $110, comes with a support app.
But French security researcher Elliot Alderson said that he actually discovered a major security flaw in the app within 15 minutes, which would allow a hacker to take over a person’s account by knowing the user’s registered email address.
“This vulnerability is very severe as it allows an attacker to take over the victim’s account and get his personal information,” he said in a message, according to CNET.
And UK-based Fidus Information Security revealed on Twitter that its researchers had “developed a full account takeover exploit. Can obtain e-mails, phone numbers, height, weight and other personal data.”
The issue has reportedly been fixed after both Alderson and Fidus informed the Vatican of their findings at roughly the same time. As Fidus pointed out, “Luckily it’s so new it’s not in the wild yet.”
Its new smart device is the Vatican’s latest move to embrace technology in an effort to attract more people to the Catholic church. The Vatican was an early adopter of the iPhone, and rolled out its first app in 2008. Pope Francis also has had an Instagram account since last March and currently has 6.3 million followers.