German researchers have uncovered a defect in thousands of mobile applications, which could leave users’ personal information at risk, Reuters reported yesterday (June 17).
The group claims to have found 56 million items of unprotected data in the applications studied, including social networking, messaging, medical, games and bank transfer apps, but they have no documented evidence that an exploitation of the vulnerability has taken place.
The issue lies in the way the apps store data online, meaning the passwords, addresses and location data of users may be left open to hackers, the researchers confirmed.
“In almost every category we found an app which has this vulnerability in it,” Siegfried Rasthofer, a member of the team who discovered the flaw, told Reuters. The research team is from the Fraunhofer Institute for Secure Information Technology and Darmstadt University of Technology.
Team leader Eric Bodden estimated the number of impacted records “will likely be in the billions.” The root of the problem is in the authentication of users when their data is stored in online databases, Bodden explained.
“Most such apps use services like Amazon’s Web Services or Facebook’s Parse to store, share or back up users’ data,” Reuters reported. “While such services offer ways for developers to protect the data, most choose the default option, based on a string of letters and numbers embedded in the software’s code, called a token.”
While the group has chosen not to disclose the names of the vulnerable applications, Rasthofer told Reuters, staff from Apple confirmed the company would soon incorporate warnings to developers about their security settings before uploading to its App Store.
“Bodden likened his team’s discovery to the Heartbleed bug, a Web-based vulnerability reported last year that left half a million Web servers susceptible to data theft. Security researchers said this might be worse, since there was little users could do, and exploiting the vulnerability was easy,” Reuters said.
The announcement of the researchers’ findings comes shortly after reports of a significant vulnerability in some Samsung mobile devices surfaced earlier this week.
Left in the wrong hands, this Samsung flaw could also expose users with impacted devices to the possible sharing of information considered private, like text messages, bank logins and contact data.
To check out what else is HOT in the world of payments, click here.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More