A security firm has found a glaring vulnerability in the NFL Mobile application. The user s credentials are sent in the clear in a secondary, unencrypted API call that is not encrypted. The username and user’s email address were also found in an unencrypted cookie created upon login and used in subsequent calls made by the mobile application to different NFL.com domains. The NFL was notified last Monday and has yet to reply. The National Football League reached out to Threatpost on Wednesday and said the vulnerability has been addressed.
Source: https://threatpost.com/nfl-mobile-app-leaks-unencrypted-credentials/110694/