Saintel Daily

If it Happened | We Covered it

Security Breach? App Developers Left User Credentials Right in Code

security
Researchers have discovered that hundreds of messaging apps may have been breached due to developers leaving user credentials in the code.

security

In the light of the Equifax data breach, and many other “leaks” over the last few years, people are on guard when it comes to the security of their personal data.  And they should be.  The problem is that it doesn’t seem to be getting any better.  It was discovered that nearly 700 apps for iOS and Android were exploited to show private messages and calls.  The security company Appthority discovered this exploited and is calling it Eavesdropper.  According to Appthority, up to 180 million Android devices could be affected, as well as iOS devices.  But how many iOS devices no one knows.

Appthority discovered 685 apps that used the Twilio Rest API or SDK for communication services.  Which includes calling and messaging.  Twilio essentially lets developers build those features into their apps without having to write their own communications protocols.  For some reason, however, some developers using these API’s left hard-coded user credentials in the app’s code.  Which made it super easy for a hacker to expose the user’s private communications.

security

The vulnerability is being called Eavesdropper “because the developers have effectively given global access to the text/SMS messages, call metadata, and voice recordings from every app they’ve developed with the exposed credentials,” according to Appthority.  What’s worse is that Eavesdropper poses a major threat to enterprise communications.  Twilio is often used in business environments.  Which means this could make a company’s private information extremely accessible by those hackers who don’t have your best interest in mind.  But Appthority’s research indicates that only about 33% of the apps affected were business focused.

What is kind of interesting is how quickly (or slowly in this case) the vulnerability was made apparent to Twilio.  Appthority discovered the vulnerability back in April but didn’t notify Twilio until July.  Doesn’t that seem kind of ridiculous?  I mean, why does it take three months to notify a company about a possible vulnerability with their system?  This is what we saw with Equifax.  Assuming there are some procedural/legal things that are out of my scope which could slow this process down.  But three months still seems like a long time.

It makes you wonder if there is something else going on.  I’m not trying to get into a conspiracy theory, but why does notification take so long?  Why did it take Equifax months before they let people know about their breach?  That’s why I think there is something else going on.  What good does it do to hold off on telling your clients or consumers that their private information might now be in the hands of hackers?  None.  Which is why I think that there is something fishy about these procedures.  Call me a conspiracy theorist, if you want.  But I can tell when something doesn’t add up.  Knowing what that is, on the other hand, isn’t something my crystal ball is showing me right now.  But like I said – something isn’t right.

It looks like they are working to try to resolve the issue as the number of apps affected dropped by the end of  August.  But I don’t think that “fixes” the bigger problem here.

%d bloggers like this: