Jump to content

Banking apps (and one VPN) hit by worrying security flaw


Recommended Posts

Security researchers have found that some major UK and US banks had vulnerabilities in their mobile apps which potentially allowed malicious parties to steal login credentials, although these holes have apparently now been patched.

Researchers from the computer science department of the University of Birmingham in the UK found that banks including HSBC – and also a VPN provider, TunnelBear – had flaws in their iOS and Android apps which allowed for so-called ‘man in the middle’ attacks to take place.

The issue pertained to the way that the apps conduct ‘certificate pinning’, which allows the software to specify a certain certificate that is trusted for a given server. The vulnerability was in the implementation of certificate pinning and verification used when creating a TLS connection, Threatpost explains.

The result being that it was possible to spoof said certificate and therefore pull off a ‘man in the middle’ attack, in which the malicious party can then obtain the victim’s login details.

Critical compromises

This is obviously particularly critical when it comes to online banking, and the affected apps included a whole range of HSBC apps (including the basic HSBC app, and HSBC Business app), along with Bank of America Health, Meezan Bank, and Smile Bank.

It’s also worrying that a VPN provider could have a hole in its software, too, considering Virtual Private Networks are all about making the internet a more secure and private place for users.

According to the report, all the banks have fixed the relevant vulnerabilities in their apps, but it just goes to show you that even software which really should be ultra-secure can still have holes in it.

While TunnelBear isn’t mentioned, presumably the provider has implemented a fix as well, you would hope.

The researchers concluded: “Clearly, the abundance of pinning implementation options available to developers has played a role in causing these flaws to be made. Platform providers can make this less of an issue by providing standardised implementations with clear documentation. To this end, Google have introduced Network Security Configuration in the Android 7.0 SDK.

“If app developers make use of these standard implementations, instead of rolling out their own or using 3rd party libraries, these errors will be much less likely to occur.”

http://feeds.feedburner.com/~r/techradar/software-news/~4/tZtsWdnd_dc
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...