Black Hat USA is a leading information security event held in Las Vegas, USA every year. A lot of high profile people attend like security researchers, high profile vendors, hackers, law enforcement officials and federal employees. A security researcher and pen tester from Colorado who goes by the handle NinjaStyle said it took him about six hours to extract registered attendees names, email addresses, company names, phone numbers and addresses through an exposed API. He was able to read the NFC tag they give out to attendees and get a URL for He downloaded a BCard APK and used Jadx to decompile the APK to Java and began grepping through the code to find API endpoints. He then basically brute forced a bunch of possible badgeIDs and eventID values until he received the 18,000 BlackHat attendees data (process took 6 hours). Turns out the API was a part of a legacy system, the folks over at bcard seemed to be responsive and fixed the issue.

NinjaStyle Blog Post Here