Enjoy the paper!
Android and Apple devices are the most used worldwide, millions of mobile users every day use the apps available in their official stores, but what if the majority of these applications are vulnerable to brute force attack?
Researchers at AppBugs found 53 Android and Apple apps are affected by the password brute force issues. The list of flawed apps includes SoundCloud, ESPN, CNN, Expedia, and Walmart.
“Password brute force vulnerability in a web service allows an attacker to make unlimited login attempts to the web service in order to guess the correct password of a victim user. Even iCloud has been found to have had such a hole and it was rumored to be the cause of the massive celebrity hack happened in late 2014. AppBugs found 53 mobile apps (Android and iOS, approximately 600 million users impacted) have the password brute force issues in their web services and attackers can exploit the holes immediately to steal users passwords.” States the blog post published by AppBugs.
15 apps from the list failed to fix server-side problems after being given 30 days to fix the problem before disclosure.
The known apps Wunderlist, Dictionary, and Pocket implement new fixes, to prevent brute force sign in attempts after being inform about their apps problems.
AppBugs researchers citing the paper “The science of guessing: analyzing an anonymized corpus of 70 million passwords” explained that hackers could take between 30 minutes to a month to break into most accounts.
“Password brute force vulnerability in a web service allows an attacker to make unlimited login attempts to the web service in order to guess the correct password of a victim user,”
“Assuming the attacker makes login attempts to the vulnerable service 30 times per minute, it takes him half hour to 24 days to guess a password, depending on the strength of the target password.”
“Attackers have no problem launching the attacks from multiple IP addresses on multiple user accounts in parallel and often can make guesses more than 30 times per minute. If today the attacker launches such attack against most user accounts in parallel, he will be able to get most user passwords within 24 days.”
Enjoy the paper!
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – brute force, mobile Apps)