• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • FREE webinar: What does a post IR35 reform CV look like? : Wed, Jul 28, 2021 7:15 PM - 8:15 PM BST More details here.

Major Password vulnerability in multiple Android and iOS apps.

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Major Password vulnerability in multiple Android and iOS apps.

    Time to check your apps. Not specific to Andoid or iOS, just specific to sloppy development.

    https://appbugs.co/html/bugs_categor...ord_bruteforce

    AppBugs found 53 mobile apps (Android and iOS, approximately 600 million users impacted) have the password brute force issues in their web services and attackers can exploit the holes immediately to steal users passwords.
    "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

    #2
    3 Apps found 2 more OK
    Best Forum Advisor 2014
    Work in the public sector? You can read my FAQ here
    Click here to get 15% off your first year's IPSE membership

    Comment


      #3
      Had one on my Android tablet. A file manager.

      PS That android Appbugs Security Scan logo looks amazingly similar to my android app, also about bugs. With a bit of luck people will get mixed up and install mine by mistake.

      https://play.google.com/store/apps/d...com.appbugs.ui

      https://play.google.com/store/apps/d....ISee.LandBugs
      Last edited by xoggoth; 28 July 2015, 08:35.
      bloggoth

      If everything isn't black and white, I say, 'Why the hell not?'
      John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

      Comment


        #4
        These appear to be vulnerabilities in the HTTP APIs, not in the apps at all. The apps are just client software that uses the relevant HTTP endpoint.

        Comment


          #5
          Originally posted by NickFitz View Post
          These appear to be vulnerabilities in the HTTP APIs, not in the apps at all. The apps are just client software that uses the relevant HTTP endpoint.
          Yes, as per the original post, the apps are making use of vulnerable web services. The net effect is still that passwords used by or with the apps are vulnerable to brute force attacks without the app owners knowledge.
          "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

          Comment

          Working...
          X