Eavesdropper vulnerability leaves 180 million smartphone users exposed to hackers

Share

He however added that they are working with developers to rectify credentials on the affected accounts.

Bentley also notes that Eavesdropper poses a major threat to enterprise communications, as Twilio is typically used in business environments.

The issue, which has been dubbed Eavesdropper, stems from the use of an application programming interface (API) from Twilio.

The vulnerability has resulted in large-scale data exposure, Appthority said.

Olympic gymnast Aly Raisman: I was abused by doctor
USA Gymnastics has adopted all 70 recommendations made by Daniels and is in the process of implementing them. I'm really upset because it's been - I care a lot you know, when I see these young girls that come up to me".

The flaw affected almost 700 apps that have already been downloaded over 180 million times.

Examples of apps that have the Eavesdropper bug include an app for secure communications within a federal law enforcement agency, an app that allows the sales team of a company to make audio recordings and make real-time annotations to discussions, as well as branded and white label navigations apps for customers that include AT&T and U.S. Cellular.

Appthority published research on its discovery of the Eavesdropper vulnerability, caused by developers carelessly hard coding their credentials in mobile applications that use the Twilio Rest API or SDK, despite best practices the company clearly outlines in its documentation.

Mobile threat protection firm Appthority discovered an exploit in nearly 700 iOS and Android apps that could expose the private messages and calls of users. The Eavesdropper doesn't depend on jailbreak, rooting, malware or known vulnerabilities instead it capitalises on a simple developer error to expose massive amounts of sensitive data. That suggests the theft of credentials for one app's Twilio account could pose a security threat to all users of as many as eight other apps.

Uber loses appeal over drivers' rights
He said the decision relied on an assertion that drivers were required to take 80% of trips sent to them when logged into the app. Uber is likely to challenge the decision at the Court of Appeal or seek the right to go straight to the Supreme Court.

"Not all conversations involve confidential information, and the nature of the app's use in the enterprise may not involve data that is sensitive or of concern", noted Seth Hardy, Appthority director of security research.

The flaw exposes sensitive data including call records, SMS and MMS text messages and more, security researchers at Appthority found.

"It's just one more example of bad practices leading to bad results, as it's very tempting for a coder to take shortcuts while developing an app, with the honest intent of cleaning things up later", he told TechNewsWorld.

Moreover, this vulnerability isn't resolved by removing an affected app from the app store or user's devices.

LGBT Visibility Is All-Time High on TV, But Favors White Cisgender Men
Bisexual+ characters had a slight decline from previous year , making up 28 percent of the LGBTQ characters across all platforms. All three platforms tracked - broadcast, cable, and streaming originals - were lacking in LGBTQ characters of color.

Those credentials could be used to access app user data stored on Amazon, Hardy said. This includes all the communications done through the compromised apps. That's still a pretty large number, but unfortunately Appthority didn't publish a full list of apps that are still live. Appthority researchers are finding that developers who hard code credentials in one service have high propensity to make the same error with other services, such as between app tools, in this instance, and data storage like Amazon S3.

Share