A Cirque du Soleil mobile app that was used to provide additional audiovisual effects during performances has been found to have significant vulnerabilities that put audience members at risk.

The app, which was designed for the Avatar-inspired show Toruk, was found to have vulnerabilities by Lukáš Štefanko, a security researcher at cybersecurity software provider ESET.

The company has advised Cirque du Soleil about the issues, and the entertainment group has said it plans to pull the app from both the Android and iOS stores now the performance has ended its run.

Štefanko found that the app lacked basic security protocols that meant anyone connected to the same network could access an audience member’s device and make changes to it.

“The problem is that the app has no authentication protocol in place. An adversary can scan the network and get the IP addresses of devices with the defined port opened – port 6161 – and send commands to all devices running the app,” he said.

“It appears that the Toruk app wasn’t designed with security in mind. As a result, anyone who was connected to the network during the show had the same admin possibilities as the Cirque du Soleil operators.”

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Cirque du Soleil mobile app users remain at risk

The app, which has been installed over 100,000 times on Android alone, had vulnerabilities that makes it possible for a malicious user to connect affected phones to other nearby Bluetooth devices, display animations and read and write to shared preferences that the app has been given permission to access. It also allows a malicious actor to remotely change volume settings or ‘Like’ pages or posts on Facebook.

While these seem like relatively minor threats, they open the door for a host of malicious intrusions, putting users of the Cirque du Soleil mobile app at serious risk.

And notably, the vulnerability is not specific to the show: anyone with the app still installed remains exposed.

“Those who installed this app should uninstall it immediately,” said Štefanko. “By the way, we highly recommend doing that with all single-purpose apps.”


Read more: Businesses have woken up to privacy, but how should they maintain consumer trust?