Black Hat Badge Attack Reveals Attendees' PII

In a brief blog post full of informative screenshots, a Colorado security researcher known as NinjaStyle details how easily he was able to figure out how to pull personal information belonging to attendees of this year's Black Hat security conference. His snooping reveals that personally identifiable information for every attendee of the conference could be gathered in as little as six hours from an API used in collating marketing data via scans of attendee's conference badges. NinjaStyle found that he could pull his own information by supplying his badge number to the API, and then realized that he could simply submit the full range of possible badge numbers by brute force.

Attacks like this one demonstrate how seemingly benign objects like a conference badge can reveal a surprising amount of information about their possessors. Such attacks also underline the very real fact the world around us is teeming with untold numbers of easily exploitable troves of personal data--many of which we will never know about.

Be careful out there.