Research published this week identified 53 mobile apps that leave user accounts vulnerable to hacking attempts as they fail to restrict the number of unsuccessful login attempts allowed. (via Ars Technica)

Known as a “Brute Force Attack”, hackers run sophisticated software that can “guess” a user’s password by trying a large number of common passwords or password variations in a relatively short time until it finds the correct one and gains access to the victim’s account.

Limiting the number of unsuccessful login attempts automatically locks out the user once the threshold is reached. Usually, the only way to regain access is performing a “lost password” or ”password reset” action that requires account verification via email.

Naturally this does result in legitimate users being locked out of their account once they’ve entered their password incorrectly a few times – something that happens often due to forgotten passwords – however; the positive benefits of protecting user accounts far outweighs this minor inconvenience.

Perhaps the most infamous case of users of an app or web service falling prey to a Brute Force Attack was 2014’s iCloud celebrity hack that resulted in the theft of nude photos. That hack was said to have been made possible in part by iCloud failing to limit the number of failed login attempts. Hackers reportedly used a password-cracking tool called iBrute to access user accounts and access photos stored in backups.

Smartphone security firm AppBugs analyzed 100 apps which support password-protected web accounts and found that 53 of those apps did not limit failed login attempts, leaving their user accounts vulnerable.

The Android versions of the 53 vulnerable apps have been downloaded a combined 300 million times and AppBugs estimates the iOS downloads to also be in the region of 300 million, leaving some 600 million downloads vulnerable to Brute Force Attacks. (Apple does not publish download counts for apps in its App Store.)

AppBugs notified the individual app developers of their findings, giving them 90 days to fix vulnerabilities before disclosing their finding to the public. So far the grace period has only expired on 12 of the 53 apps, including those from Walmart, Kobo, SoundCloud, Slack, AutoCad 360, Zillow, Domino’s Pizza, CNN, Expedia, WatchESPN, iHeartRadio, and Songza.

In addition, the Wunderlist, Dictionary, and Pocket apps were also identified, but developers have implemented the necessary changes since being notified by AppBugs.

Image credit: Ervins Strauhmanis | Flickr