Security researcher Will Dormann of the US Computer Emergency Response Team (CERT) has reported this week that over 350 apps from the Google Play and Amazon App stores have been compromised due to a flaw that fails to validate certificates over a secure socket layer.
The bug, which opens up many popular mobile applications such as the eBay mobile shopper and the Microsoft Tech Companion to fairly rudimentary man-in-the-middle attacks, has been tracked and logged by the CERT team for only about a week now. But instead of waiting the standard 45-days to silently communicate the problem to the affected companies in order to give them a chance to get out in front of the issue with appropriate patches, CERT has opted to go public as soon as possible due to the severity and wide reaching implications of what the attack could do if left unchecked for too long.
Due to the sheer number of affected programs, CERT has posted a document which is being constantly updated that should give any developers wrapped up in the breach the chance to check in and see whether or not their code is at risk of an attack.
“If an attacker is interested in performing MITM attacks, they’re already doing it,” writes Dormann.
“That cat is already out of the bag. They’ve likely set up a rogue access point and are already capturing all of the traffic that passes through it. Knowing which specific applications are affected does not give any advantage to an attacker.”
Perhaps most worryingly is the weaknesses of the Coles Credit Card app, which is used to pay for groceries and goods at the Australian supermarket chain. If properly exploited, the hole could allow deviants to sniff out financial information, which might then be used to steal a user’s identity without their knowledge.
Although POS scams have taken the reins as one of the foremost methods that underground rings have depended on to commit financial crimes in 2014, more classical routes of intrusion are still proving themselves a fruitful battleground for anyone who may have less experience with the relatively new technologies and malware programs required to pull off a successful POS hack.
By simply cracking the username/password combos on the app, attackers would then be able to read through all the stored credit and debit cards on a person’s phone, which can easily be duped onto faux cards and drained at an ATM or used for large purchases at various retailers who are known for looking the other way when it comes to checking the ID of the person standing at the cashier.
CERT has advised all users of Google Play and the Amazon line of mobile devices to keep a close eye on their list to check if any of their installed apps pop up within the next several weeks. They also instruct anyone who gets a match to immediately uninstall any apps that could still be vulnerable until a patch can be applied across all the affected platforms.