Dozens of phone apps with more than 300 million downloads susceptible to brute force password hacking
According to recently published research, as many as 600 million smartphone user accounts could be at risk of being cracked because the popular apps allow attackers to make an unlimited number of login attempts. The number of such apps is huge and most of them are downloaded more than 300 million times combined. These include smartphone apps from Walmart, CNN, ESPN, and dozens of other organizations.
Security experts have long identified the advantage of restricting the number of unsuccessful login attempts that users can make to online accounts. While lawful users get locked out with such restrictions due to attackers unsuccessful login attempts users; however, such denial-of-service shortcoming are in most cases are overridden by the protection they give against online password cracking attempts, in which attackers in the hopes of trying the right one make huge numbers of password guesses against specific user accounts. Apple’s iCloud service, until last September, failed to restrict the number of login attempts to that service, a drawback that may have contributed to last year’s nude photo thefts and mass celebrity hack.
In spite of Apple improving its ways, many smartphone apps still let users make an unlimited number of login attempts. That failure lets attackers to go through the long lists of the most commonly used passwords. Taking into consideration the difficulty of entering strong passwords on smartphone keyboards, it’s a likely bet that it wouldn’t be hard to compromise a statistically noteworthy number of accounts over a period of weeks.
According to research from mobile security firm AppBugs, 100 of the most popular Android and iOS apps supporting password protected accounts were tested with each recording at least one million downloads contain no limits on the number of logins that can be attempted.
Of these, the affected Android apps had been downloaded 300 million times. Even though Apple does not release such data, AppBugs estimated the download number for the affected iOS apps to be similar.
It was surprising to discover that 53% had a password brute force susceptibility, that allowed attackers to guess away until they crack the credential.
The firm explained the following:
“According to this study on 70 million passwords, the strength of user passwords typically contains 10-20 bits of security. This means that it only takes the attacker 1024-1048576 guesses to find the correct one. Assuming the attacker makes login attempts to the vulnerable service 30 times per minute, it takes him half an hour to 24 days to guess a password, depending on the strength of the target password. This is a scary estimate. Attackers have no problem launching the attacks from multiple IP addresses on multiple user accounts in parallel and often can make guesses more than 30 times per minute. If today the attacker launches such attack against most user accounts in parallel, he will be able to get most user passwords within 24 days.”
As per the company’s disclosure policy, AppBugs claimed to have notified each of the affected apps’ developers, giving them a total of 90 days to fix susceptibilities before making them public.
Of the 15, that have passed that patching grace period, just three (Wanderlust, Dictionary and Pocket) fixed the issue at the time of AppBugs’ blog post.
Still, the grace period has expired on at least 12 apps, including those from CNN, Walmart, Expedia, ESPN, Songza, Slack, Zillow, SoundCloud, iHeartRadio, Domino’s Pizza, AutoCAD, and Kobo. Three other apps, from Dictionary, Wunderlist, and Pocket, were found to be vulnerable; however, after AppBugs brought the weaknesses to the developers’ attention, they were later fixed.
None of the apps tested support two-factor validation, hence, there is very little a user can do to lessen the susceptibility apart from disabling the app altogether.
Apple’s iCloud service was widely found to have been exposing users via this susceptibility, before the firm patched it. It is time that app developers may want to consider two-factor validation as a means of preventing the compromise of user accounts.