Northeastern team helped Match, Athenahealth apps stop leaking passwords

The Android app from dating site Match and a physician’s drug search app made by Athenahealth featured a bug that failed to protect password and usernames, a team at Northeastern University has found.

Both apps were among hundreds that the Northeastern researchers found sent personal information such as home addresses and names, and in some cases usernames and passwords, from smartphones to company servers without securing that data by encryption.

As a result, any user logging into the app while on a public Wifi network — such as the free networks in cafes or airports — could unwittingly reveal their personal data to others using a simple program to watch network traffic.

“It’s like walking around a room and eavesdropping on conversations,” said David Choffnes, a computer science professor and team lead on the project