Sci-tech

Coding Error Leaves Hundreds Of Messaging Apps Vulnerable

Coding Error Leaves Hundreds Of Messaging Apps Vulnerable”

Appthority's director of security research, Seth Hardy told Reuters, "This isn't just limited to Twilio". Hackers could access those credentials by reviewing the code in the apps, then gain access to data sent over those services, he said. "The affected Android apps had been downloaded up to 180 million times". Such apps have been installed as many as 180 million times on Android phones and an unknown number of times on Apple's iOS-based devices. That's still a pretty large number, but unfortunately Appthority didn't publish a full list of apps that are still live.

Among other apps which use Twilio Inc. are Uber Technologies Inc. and Netflix Inc. The report also claimed that there were no indication that either of the two were affected.

The findings highlight new threats posed by the increasing use of third-party services such as Twilio, which says on its website that it powers communications for more than 40,000 businesses worldwide.

"The complexity of computing environments and software applications means in both instances, developers and system admins are relying on third-party code and infrastructure to enable services", said Chris Morales, head of security analytics at Vectra, via email. Rather, this vulnerability shows how a simple developer mistake of exposing credentials in one app can affect larger families of apps by that same developer using the same credentials, even compromising other apps where best practices were followed, using side-channel and historical attacks. Using the stolen credentials, a hacker could bypass authentication checks and steal user data handled by Twilio and other third-party services. The AT&T app was a re-branded version of an app originally built by Telenav.

The researchers also warned that credentials used by at least 902 app developer accounts were found stored in Amazon Web Services servers.

When the credentials are hard-coded into the app, it is possible for an attacker to hijack those credentials by examining the app's code.

The cause of the Eavesdropper issue is careless developers.

To their credit, Appthority has not listed all the apps that could be vulnerable, save for some that are now defunct, such as the AT&T Navigator mapping and Global Positioning System app. Twilo has confirmed to Reuters that the company has found no evidence that hackers have used the credentials to access customer data, and that they are working with developers to change credentials on affected accounts.

The vulnerability, which Appthority researchers have dubbed Eavesdropper, was introduced when developers "carelessly" hard coded their credentials in mobile apps using the Twilio Rest API or SDK for communications services. Wrappup and RingDNA could not immediately be reached for comment.

Appthority provided the names of only a couple of apps out of the 685 which are affected in a bid to not "tip off potential hackers", Reuters reported.



Like this

Latest


10 November 2017
Chelsea star Hazard names Belgium teammate De Bruyne as Premier League's best
Martinez said of the out-of-sorts 24-year-old: "I think Romelu is an out-and-out goal-scorer and his numbers reflect that". He acknowledged that these things take time and said, "that happens over the course of a few seasons.

10 November 2017
Winter weather travel advisory in effect for Hamilton area
A weather advisory issued from Environment Canada early Thursday morning says this could cause roads to become icy and slippery. Dropping temperatures and scattered rain showers are expected across Toronto on Thursday afternoon and into the evening.

10 November 2017
Shelton Capital Management Acquires Shares of 2619 Illinois Tool Works Inc. (ITW)
Westwood Holdings Group Inc increased Illinois Tool Wks Inc (ITW) stake by 224.73% reported in 2017Q2 SEC filing. (NYSE:ITW). Guggenheim Ltd Liability holds 0.21% or 562,876 shares in its portfolio. 22,986 were reported by Stratos Wealth Prtnrs Ltd.

10 November 2017
Analysts Alert: New York REIT Inc (NYRT)
Absolute price performance isn't the only thing analysts consider when predicting future performance: volatility matters as well. The 20-day RSI for NYRT is 23.78%, which suggests that the stock may be primed for a trend reversal or a breakout to the upside.

10 November 2017
Keys to a Giants victory against the 49ers
It was the most points given up at home by a Giants team since the Washington Redskins scored 50 on Sep. The 49ers are banged up, winless and have been outscored 93-30 over the past three games.

10 November 2017
Ophthotech Corporation (NASDAQ:OPHT) To Release Earnings
After $-0.62 actual EPS reported by Ophthotech Corp for the previous quarter, Wall Street now forecasts -795.16% EPS growth. The stock of Anadarko Petroleum Corporation (NYSE:APC) earned "Buy" rating by Ladenburg Thalmann on Monday, December 19.

10 November 2017
Brian Boyle scores 1st goal since return to Devils
During an interview after the opening period, Boyle said it was the first time he has ever cried after scoring a goal. Everything I talked about before the game... my wife, my kids, they've been through a lot too.

10 November 2017
Sean Astin Weighs in on Amazon's Possible Lord of the Rings Adaptation
There is now no deal set in stone for the Lord of the Rings project at this time, as Amazon Studios are still in early talks with the Tolkien Estate.

10 November 2017
Flipkart's camera-centric smartphone with dual cameras to be called Capture+
The company also revealed that the smartphone will feature a full HD display with 1080x1920 pixels resolution. Some of the camera features confirmed by teaser page include Bokeh effect and "super night" mode.

10 November 2017
Ski season officially underway with Tahoe area resorts starting to open
This weekend's anticipated opening of Crystal Mountain ski area isn't going to happen, the resort announced Thursday. The resort is still hoping to open next week, according to an announcement on their website.



Recommended