Eavesdropper vulnerability leaves 180 million smartphone users exposed to hackers

Share

He however added that they are working with developers to rectify credentials on the affected accounts.

Bentley also notes that Eavesdropper poses a major threat to enterprise communications, as Twilio is typically used in business environments.

The issue, which has been dubbed Eavesdropper, stems from the use of an application programming interface (API) from Twilio.

The vulnerability has resulted in large-scale data exposure, Appthority said.

China's ByteDance buys Musical.ly teen app for United States dollars 800 mln
Musical.ly was founded in 2104 in Shanghai by Louis Yang and Alex Zhu, and claims by more than 100 million active users. Millions of teens use the app to share videos of themselves lip-syncing to popular songs and making amusing faces.

The flaw affected almost 700 apps that have already been downloaded over 180 million times.

Examples of apps that have the Eavesdropper bug include an app for secure communications within a federal law enforcement agency, an app that allows the sales team of a company to make audio recordings and make real-time annotations to discussions, as well as branded and white label navigations apps for customers that include AT&T and U.S. Cellular.

Appthority published research on its discovery of the Eavesdropper vulnerability, caused by developers carelessly hard coding their credentials in mobile applications that use the Twilio Rest API or SDK, despite best practices the company clearly outlines in its documentation.

Mobile threat protection firm Appthority discovered an exploit in nearly 700 iOS and Android apps that could expose the private messages and calls of users. The Eavesdropper doesn't depend on jailbreak, rooting, malware or known vulnerabilities instead it capitalises on a simple developer error to expose massive amounts of sensitive data. That suggests the theft of credentials for one app's Twilio account could pose a security threat to all users of as many as eight other apps.

Bigg Boss 11: 'Firangi' Kapil Sharma to enter Salman Khan's show?
Now, in the latest development, it seems Kapil might have succeeded in mending his sour relationship with Sunil. Speaking about the channel going off air, he said, "The channel [ officials] didn't ask me to go off air".

"Not all conversations involve confidential information, and the nature of the app's use in the enterprise may not involve data that is sensitive or of concern", noted Seth Hardy, Appthority director of security research.

The flaw exposes sensitive data including call records, SMS and MMS text messages and more, security researchers at Appthority found.

"It's just one more example of bad practices leading to bad results, as it's very tempting for a coder to take shortcuts while developing an app, with the honest intent of cleaning things up later", he told TechNewsWorld.

Moreover, this vulnerability isn't resolved by removing an affected app from the app store or user's devices.

Elbow Cover The Beatles For John Lewis Christmas TV Advert 2017
Starting the advert off viewers got their first glimpse of the Moz when he appeared under the adorable boy's bed. John Lewis has finally put us out of our misery and has released its Christmas advert for this year.

Those credentials could be used to access app user data stored on Amazon, Hardy said. This includes all the communications done through the compromised apps. That's still a pretty large number, but unfortunately Appthority didn't publish a full list of apps that are still live. Appthority researchers are finding that developers who hard code credentials in one service have high propensity to make the same error with other services, such as between app tools, in this instance, and data storage like Amazon S3.

Share