Enterprise security company Zscaler said that popular sports app ESPN Score Center had “significant security vulnerabilities that could compromise users’ mobile devices”, including the threat of data theft.

ESPN said it had subsequently addressed the vulnerabilities, which was confirmed by Zscaler.

Michael Sutton, VP of security research at Zscaler, noted that the issue is that many apps are either web-based or mix web content with native elements. “As such, vulnerabilities common to web applications can also occur in mobile apps,” he said.

In the case of ESPN Score Center, the app exposed a cross-site scripting (XSS) flaw which enables active content such as JavaScript to be injected into the app; and sent authentication credentials in clear text when accounts are first created.

The flaws were discovered using Zscaler’s Application Profiler (ZAP), a tool which enables users to search the name of any iOS or Android app and receive an instant assessment of its security and privacy risks.

ZAP can also be used to scan traffic from an app installed on a device, to see if data is being exposed.