Sci-tech

Coding Error Leaves Hundreds Of Messaging Apps Vulnerable

Coding Error Leaves Hundreds Of Messaging Apps Vulnerable”

Appthority's director of security research, Seth Hardy told Reuters, "This isn't just limited to Twilio". Hackers could access those credentials by reviewing the code in the apps, then gain access to data sent over those services, he said. "The affected Android apps had been downloaded up to 180 million times". Such apps have been installed as many as 180 million times on Android phones and an unknown number of times on Apple's iOS-based devices. That's still a pretty large number, but unfortunately Appthority didn't publish a full list of apps that are still live.

Among other apps which use Twilio Inc. are Uber Technologies Inc. and Netflix Inc. The report also claimed that there were no indication that either of the two were affected.

The findings highlight new threats posed by the increasing use of third-party services such as Twilio, which says on its website that it powers communications for more than 40,000 businesses worldwide.

"The complexity of computing environments and software applications means in both instances, developers and system admins are relying on third-party code and infrastructure to enable services", said Chris Morales, head of security analytics at Vectra, via email. Rather, this vulnerability shows how a simple developer mistake of exposing credentials in one app can affect larger families of apps by that same developer using the same credentials, even compromising other apps where best practices were followed, using side-channel and historical attacks. Using the stolen credentials, a hacker could bypass authentication checks and steal user data handled by Twilio and other third-party services. The AT&T app was a re-branded version of an app originally built by Telenav.

The researchers also warned that credentials used by at least 902 app developer accounts were found stored in Amazon Web Services servers.

When the credentials are hard-coded into the app, it is possible for an attacker to hijack those credentials by examining the app's code.

The cause of the Eavesdropper issue is careless developers.

To their credit, Appthority has not listed all the apps that could be vulnerable, save for some that are now defunct, such as the AT&T Navigator mapping and Global Positioning System app. Twilo has confirmed to Reuters that the company has found no evidence that hackers have used the credentials to access customer data, and that they are working with developers to change credentials on affected accounts.

The vulnerability, which Appthority researchers have dubbed Eavesdropper, was introduced when developers "carelessly" hard coded their credentials in mobile apps using the Twilio Rest API or SDK for communications services. Wrappup and RingDNA could not immediately be reached for comment.

Appthority provided the names of only a couple of apps out of the 685 which are affected in a bid to not "tip off potential hackers", Reuters reported.



Like this

loading...
loading...

Latest


10 November 2017
Google's Project Loon delivers internet to 100000 in Puerto Rico
The rapid deployment was possible thanks to an experimental license provided by the Federal Communications Commission in the US. Now, the company behind the initiative says it's provided 100,000 people on the island with service.

10 November 2017
Aaron Boone among candidates for next Yankees manager
Boone famously hit the pennant-clinching home run in the 2003 American League Championship Series for NY . There will be people that I interview that don't have any managerial experience in their background.

10 November 2017
Labour Court To Issue Rail Row Plan
The NBRU's Dermot O'Leary says the group of unions at Irish Rail will meet tomorrow to consider the findings. Talks between management and unions took place at the Labour Court earlier on Thursday .

10 November 2017
Parsley Energy, Inc. (PE) Releases Earnings Results, Beats Estimates By $0.02 EPS
COPYRIGHT VIOLATION WARNING: This article was originally published by Week Herald and is the sole property of of Week Herald. The stock is now moving above its 20-Day Simple Moving Average of 8.62% with a 50-Day Simple Moving Average of 9.75 percent.

10 November 2017
Shelton Capital Management Acquires Shares of 2619 Illinois Tool Works Inc. (ITW)
Westwood Holdings Group Inc increased Illinois Tool Wks Inc (ITW) stake by 224.73% reported in 2017Q2 SEC filing. (NYSE:ITW). Guggenheim Ltd Liability holds 0.21% or 562,876 shares in its portfolio. 22,986 were reported by Stratos Wealth Prtnrs Ltd.

10 November 2017
Veterans Day Parade to impact downtown parking, traffic
The parade will then turn onto North Grand Street before returning to Market Street and a finish back at Monument Square. The Lewistown Veterans Day Parade, scheduled for today, is still on and is scheduled to start at 6:30 p.m.

10 November 2017
Aegean Marine Petroleum Network Inc. (ANW) Shares Down 3.9% Following Analyst Downgrade
ValuEngine lowered Aegean Marine Petroleum Network from a buy rating to a hold rating in a report on Friday, September 1st. Analysts await Aegean Marine Petroleum Network Inc. (NYSE:ANW) has risen 43.45% since November 8, 2016 and is uptrending.

10 November 2017
Ophthotech Corporation (NASDAQ:OPHT) To Release Earnings
After $-0.62 actual EPS reported by Ophthotech Corp for the previous quarter, Wall Street now forecasts -795.16% EPS growth. The stock of Anadarko Petroleum Corporation (NYSE:APC) earned "Buy" rating by Ladenburg Thalmann on Monday, December 19.

10 November 2017
Italian actress Gina Lollobrigida says that she too was sexually molested
Now aged 90, the actress has finally made a decision to talk about the upsetting incidents that started when she was a teenager. She was nominated for two Golden Globes, too, including one in 1985 for a supporting role in the CBS series "Falcon Crest".

10 November 2017
5 of a family jump before moving train
GRP along with Railway Protection Force (RPF) arrived at the spot and recovered the bodies. The GRP personnel found purse, mobile phone and a few bank ATM cards near the spot.