Eavesdropper vulnerability leaves 180 million smartphone users exposed to hackers

Share

He however added that they are working with developers to rectify credentials on the affected accounts.

Bentley also notes that Eavesdropper poses a major threat to enterprise communications, as Twilio is typically used in business environments.

The issue, which has been dubbed Eavesdropper, stems from the use of an application programming interface (API) from Twilio.

The vulnerability has resulted in large-scale data exposure, Appthority said.

Jeremy Piven Rebuts Harassment Claims, Says We're Entering "Dark Times"
Advertising executive Tiffany Bacon Scourby said that Piven attacked her in 2003 at the Trump International Hotel & Tower in NY . She said that he invited her to be his guest at a Conan O'Brien taping the next day and gave her his number.

The flaw affected almost 700 apps that have already been downloaded over 180 million times.

Examples of apps that have the Eavesdropper bug include an app for secure communications within a federal law enforcement agency, an app that allows the sales team of a company to make audio recordings and make real-time annotations to discussions, as well as branded and white label navigations apps for customers that include AT&T and U.S. Cellular.

Appthority published research on its discovery of the Eavesdropper vulnerability, caused by developers carelessly hard coding their credentials in mobile applications that use the Twilio Rest API or SDK, despite best practices the company clearly outlines in its documentation.

Mobile threat protection firm Appthority discovered an exploit in nearly 700 iOS and Android apps that could expose the private messages and calls of users. The Eavesdropper doesn't depend on jailbreak, rooting, malware or known vulnerabilities instead it capitalises on a simple developer error to expose massive amounts of sensitive data. That suggests the theft of credentials for one app's Twilio account could pose a security threat to all users of as many as eight other apps.

China allows foreign finance beyond the Great Wall
Swiss banks Credit Suisse and UBS have both said they would like to increase their shareholding in their Chinese joint ventures. China has announced plans to relax foreign ownership restrictions on Chinese banks.

"Not all conversations involve confidential information, and the nature of the app's use in the enterprise may not involve data that is sensitive or of concern", noted Seth Hardy, Appthority director of security research.

The flaw exposes sensitive data including call records, SMS and MMS text messages and more, security researchers at Appthority found.

"It's just one more example of bad practices leading to bad results, as it's very tempting for a coder to take shortcuts while developing an app, with the honest intent of cleaning things up later", he told TechNewsWorld.

Moreover, this vulnerability isn't resolved by removing an affected app from the app store or user's devices.

Morning Alert Advanced Micro Devices, Inc. (NASDAQ:AMD)
The Firm has ATR of 0.22 that is explaining range of a day's trading is high-low; ATR expands it to yesterday's closing price. Advanced Micro Devices, Inc .'s institutional ownership is 68.5%, while its institutional transactions stand at -4.54%.

Those credentials could be used to access app user data stored on Amazon, Hardy said. This includes all the communications done through the compromised apps. That's still a pretty large number, but unfortunately Appthority didn't publish a full list of apps that are still live. Appthority researchers are finding that developers who hard code credentials in one service have high propensity to make the same error with other services, such as between app tools, in this instance, and data storage like Amazon S3.

Share