Vulnerability puts 10 million app users at risk
A serious security vulnerability has been identified by a group of researchers that could impact up to 10 million banking app users.
A serious security vulnerability has been discovered in major finance apps from HSBC, NatWest and Co-op banks that could potentially have let hackers steal usernames and passwords from users.
A group of researchers from the University of Birmingham discovered the bug after creating a tool that carried out “semi-automated security testing” of apps. An initial sample of 400 services were tested, and the flaw discovered. Specifically, the issue centred around a technology called “certificate pinning”, which theoretically improves the security of a TLS connection, but also makes automated pen testing results unreliable.
The researchers explained: “By proxying TLS connections with a trusted certificate for an unrelated hostname, one cannot distinguish whether the app rejects the connection because the hostname is invalid, or because a chain of trust cannot be established due to pinning being in use. While pinning to the server public key would be secure, to test for apps that pinned to higher up the certificate chain, we obtained a free Comodo certificate for our own hostname and found that this certificate was accepted by apps from Natwest and Co-op bank, meaning that these apps could be MITMed and were not secure…”
It allowed hackers connected to the same network as the victim to perform a Man in the Middle (MitM) attack, until it was patched by the financial institutions. The researchers worked with the UK’s National Cyber Security Centre (NCSC) on resolving the issue before going public with their findings, which were publicised initially here before being expanded and presented at the 33rd Annual Computer Security Applications Conference in Orlando, Florida last week. in the paper Spinner: Semi-Automatic Detection of Pinning without Hostname Verification.
Ilia Kolochenko, CEO High-Tech Bridge said: "As much independent research continuously demonstrates, most of the mobile apps for any platforms are insecure and vulnerable, and have been for many years. This can be explained by a lack of experienced developers, a careless attitude towards mobile application security in many organizations and the relative complexity of practical exploitation of mobile app flaws.
"In most of the cases, exploitation of a mobile app vulnerability requires some pre-existing conditions, such as an already installed malicious app on the same device or attacker’s access to the victim’s data channel (e.g. public Wi-Fi). All of this makes mobile apps a not very attractive target for cybercriminals, who would rather target the mobile backend – APIs and Web Services - which can be an Alibaba's cave in the case of a breach. While many companies do not even consider protecting the mobile backend with a WAF, believing that it is unnecessary, mobile apps are just the tip of the iceberg."
The Birmingham researcher’s findings gel with recent research from High-Tech Bridge, which investigated a range of apps using a brand new free online service “Mobile X-Ray”, that tests mobile application security and privacy. The results were shocking, with a massive 88 per cent of API and Web Services used in the mobile backend containing exploitable vulnerabilities allowing access to sensitive or even confidential data, while 69 per cent of API and Web Services used in the mobile backend do not have sufficient anti-automation mechanisms or protections (e.g. WAF) against common web attacks.
Against this background, the annual security spend figures from Gartner make interesting reading, with a predicted increase of eight percent in 2018, to reach a value of $96 billion (£71.72 billion) by the end of the year. Gartner believes that this is due to changes in mindset among companies, tightened regulations in many areas, and a growing awareness of threats. Let’s just hope the increased spend delivers proportional improvements...