NEWS
NEWS
NEWS
Report: AppBugs finds host of popular mobile apps open to password cracking
Research published this week identified 53 mobile apps that leave user accounts vulnerable to hacking attempts as they fail to restrict the number of unsuccessful login attempts allowed. (via Ars Technica)
Known as a “Brute Force Attack”, hackers run sophisticated software that can “guess” a user’s password by trying a large number of common passwords or password variations in a relatively short time until it finds the correct one and gains access to the victim’s account.
Limiting the number of unsuccessful login attempts automatically locks out the user once the threshold is reached. Usually, the only way to regain access is performing a “lost password” or ”password reset” action that requires account verification via email.
Naturally this does result in legitimate users being locked out of their account once they’ve entered their password incorrectly a few times – something that happens often due to forgotten passwords – however; the positive benefits of protecting user accounts far outweighs this minor inconvenience.
Perhaps the most infamous case of users of an app or web service falling prey to a Brute Force Attack was 2014’s iCloud celebrity hack that resulted in the theft of nude photos. That hack was said to have been made possible in part by iCloud failing to limit the number of failed login attempts. Hackers reportedly used a password-cracking tool called iBrute to access user accounts and access photos stored in backups.
Smartphone security firm AppBugs analyzed 100 apps which support password-protected web accounts and found that 53 of those apps did not limit failed login attempts, leaving their user accounts vulnerable.
The Android versions of the 53 vulnerable apps have been downloaded a combined 300 million times and AppBugs estimates the iOS downloads to also be in the region of 300 million, leaving some 600 million downloads vulnerable to Brute Force Attacks. (Apple does not publish download counts for apps in its App Store.)
AppBugs notified the individual app developers of their findings, giving them 90 days to fix vulnerabilities before disclosing their finding to the public. So far the grace period has only expired on 12 of the 53 apps, including those from Walmart, Kobo, SoundCloud, Slack, AutoCad 360, Zillow, Domino’s Pizza, CNN, Expedia, WatchESPN, iHeartRadio, and Songza.
In addition, the Wunderlist, Dictionary, and Pocket apps were also identified, but developers have implemented the necessary changes since being notified by AppBugs.
Image credit: Ervins Strauhmanis | Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
