Coding Error Leaves Hundreds Of Messaging Apps Vulnerable

Appthority's director of security research, Seth Hardy told Reuters, "This isn't just limited to Twilio". Hackers could access those credentials by reviewing the code in the apps, then gain access to data sent over those services, he said. "The affected Android apps had been downloaded up to 180 million times". Such apps have been installed as many as 180 million times on Android phones and an unknown number of times on Apple's iOS-based devices. That's still a pretty large number, but unfortunately Appthority didn't publish a full list of apps that are still live.

Among other apps which use Twilio Inc. are Uber Technologies Inc. and Netflix Inc. The report also claimed that there were no indication that either of the two were affected.

The findings highlight new threats posed by the increasing use of third-party services such as Twilio, which says on its website that it powers communications for more than 40,000 businesses worldwide.

"The complexity of computing environments and software applications means in both instances, developers and system admins are relying on third-party code and infrastructure to enable services", said Chris Morales, head of security analytics at Vectra, via email. Rather, this vulnerability shows how a simple developer mistake of exposing credentials in one app can affect larger families of apps by that same developer using the same credentials, even compromising other apps where best practices were followed, using side-channel and historical attacks. Using the stolen credentials, a hacker could bypass authentication checks and steal user data handled by Twilio and other third-party services. The AT&T app was a re-branded version of an app originally built by Telenav.

The researchers also warned that credentials used by at least 902 app developer accounts were found stored in Amazon Web Services servers.

When the credentials are hard-coded into the app, it is possible for an attacker to hijack those credentials by examining the app's code.

The cause of the Eavesdropper issue is careless developers.

To their credit, Appthority has not listed all the apps that could be vulnerable, save for some that are now defunct, such as the AT&T Navigator mapping and Global Positioning System app. Twilo has confirmed to Reuters that the company has found no evidence that hackers have used the credentials to access customer data, and that they are working with developers to change credentials on affected accounts.

The vulnerability, which Appthority researchers have dubbed Eavesdropper, was introduced when developers "carelessly" hard coded their credentials in mobile apps using the Twilio Rest API or SDK for communications services. Wrappup and RingDNA could not immediately be reached for comment.

Appthority provided the names of only a couple of apps out of the 685 which are affected in a bid to not "tip off potential hackers", Reuters reported.

Like this


10 November 2017
Chelsea star Hazard names Belgium teammate De Bruyne as Premier League's best
Martinez said of the out-of-sorts 24-year-old: "I think Romelu is an out-and-out goal-scorer and his numbers reflect that". He acknowledged that these things take time and said, "that happens over the course of a few seasons.

10 November 2017
Joshua attacks Fury, Wilder
Good to see Eddie (Hearn) has let you of your leash for the day. "You want to practise on a bit more speed and less power". Any potential fight between Fury and Joshua would be the biggest fight in boxing history, according to

10 November 2017
Google's Project Loon delivers internet to 100000 in Puerto Rico
The rapid deployment was possible thanks to an experimental license provided by the Federal Communications Commission in the US. Now, the company behind the initiative says it's provided 100,000 people on the island with service.

10 November 2017
Shelton Capital Management Acquires Shares of 2619 Illinois Tool Works Inc. (ITW)
Westwood Holdings Group Inc increased Illinois Tool Wks Inc (ITW) stake by 224.73% reported in 2017Q2 SEC filing. (NYSE:ITW). Guggenheim Ltd Liability holds 0.21% or 562,876 shares in its portfolio. 22,986 were reported by Stratos Wealth Prtnrs Ltd.

10 November 2017
Veterans Day Parade to impact downtown parking, traffic
The parade will then turn onto North Grand Street before returning to Market Street and a finish back at Monument Square. The Lewistown Veterans Day Parade, scheduled for today, is still on and is scheduled to start at 6:30 p.m.

10 November 2017
Former trash tycoon Chuck Rizzo pleads guilty to bribery charges
Rizzo, 47, of Bloomfield Township, also forfeits $4 million and help the government prosecute others in the probe. Overall, 17 people were arrested as a result of Chuck Rizzo's cooperation.

10 November 2017
Ophthotech Corporation (NASDAQ:OPHT) To Release Earnings
After $-0.62 actual EPS reported by Ophthotech Corp for the previous quarter, Wall Street now forecasts -795.16% EPS growth. The stock of Anadarko Petroleum Corporation (NYSE:APC) earned "Buy" rating by Ladenburg Thalmann on Monday, December 19.

10 November 2017
Freddy Guevara es instrumento de países extranjeros — Diosdado Cabello
El presidente del Parlamento, Julio Borges, denunció el domingo que el procedimiento contra Guevara busca debilitar aún más a la cámara, cuyas decisiones son desconocidas por el TSJ .

10 November 2017
Italian actress Gina Lollobrigida says that she too was sexually molested
Now aged 90, the actress has finally made a decision to talk about the upsetting incidents that started when she was a teenager. She was nominated for two Golden Globes, too, including one in 1985 for a supporting role in the CBS series "Falcon Crest".

10 November 2017
The Latest Helmerich & Payne, Inc. (HP) Insider Trading Activity
The average Wall Street analyst rating for Helmerich & Payne, Hold, according to the average of 20 analyst scores. Brandywine Global Investment Management LLC raised its stake in Helmerich & Payne by 2,253.8% during the second quarter.