A group of security researchers has discovered a critical vulnerability in major mobile banking applications that left banking credentials vulnerable to hackers.
The vulnerability was discovered by researchers of the Security and Privacy Group at the University of Birmingham, who analyzed hundreds of iOS and Android banking apps.
The experts discovered that several of them were vulnerable to man-in-the-middle attacks.
The list of affected banking apps includes Allied Irish bank, Co-op, HSBC, NatWest, and Santander.
An attacker sharing the same network segment of the victim could intercept SSL connection and retrieve the user’s banking credentials even if the apps are using SSL pinning feature.
Researchers found that due to the wrong implementation of the authentication process the apps were vulnerable to MITM attacks. The lack of hostname verification left many banking applications open to attacks because they were not able to check if they connected to a trusted source.
The apps fail to check that they connect to a URL having the hostname that matches the hostname in the digital certificate that the server exposes.
“Automated tools do exist to test a variety of TLS flaws. Lack of certificate signature verification can be tested for by serving the client a self-signed certificate, lack of hostname verification by serving a valid certificate for a different hostname, and lack of certificate pinning can be checked for by adding a custom CA to the device’s trust store. ” continues the paper.
“These tests have been shown to be effective at finding vulnerabilities in apps  and poor TLS certificate validation . However, none of these tools can detect the possibility that an app will pin to the root or intermediate certificate used but fail to validate the hostname”
The experts created a new automated tool, dubbed Spinner, to test hundreds of banking apps quickly and without requiring purchasing certificates.
The tool leverages Censys IoT search engine for finding certificate chains for alternate hosts that only differ in the leaf certificate.
“Given the certificate for a target domain, the tool queries for certificate chains for alternate hosts that only differ in the leaf certificate. The tool then redirects the traffic from the app under test to a website which has a certificate signed by the same CA certificate, but of course a different hostname (Common Name),” continues the paper.
“If the connection fails during the establishment phase then we know the app detected the wrong hostname. Whereas, if the connection is established and encrypted application data is transferred by the client before the connection fails then we know the app has accepted the hostname and is vulnerable.”
The security experts with the help of the National Cyber Security Centre (NCSC) notified all affected banks that addressed the issues before they publicly disclosed their findings.
(Security Affairs – pinning, banking applications)