- Jul 22, 2014
- 2,525
UPDATE Mobile app developers who code using the Twilio cloud-based platform and are forgetful about removing their hardcoded credentials have put businesses messaging data at risk for exposure.
The so-called Eavesdropper vulnerability, disclosed today by Appthority, has been around since 2011 and in apps downloaded likely more than 200 million times.
The researchers privately reported the bug in July; they found 685 enterprise apps (56 percent of them iOS apps) linked to 85 Twilio developer accounts. Many of the apps have been removed from the respective Apple and Google stores but as of August, 75 still remained on Google Play and 102 on the App Store.
“The affected Android apps had been downloaded up to 180 million times,” Appthority said. “Approximately 33 percent of the Eavesdropper apps found are business related. The exposure has been present since 2011. The scope of the exposure is massive including hundreds of millions of call records, minutes of calls and audio recordings, and text messages.”
Appthority said the hardcoded credentials afford an attacker “global access” to metadata in the developers’ Twilio accounts, including text messages, call metadata and recordings.
“Eavesdropper poses a serious enterprise data threat because a would-be attacker could access confidential knowledge about a company’s business dealings and make moves to capitalize on them for extorting actions or personal gain,” Appthority said, adding it did not listen to any of the exposed recordings, but based on the types of apps, it’s not far-fetched to assume sensitive business transactions were discussed and negotatied on these calls.
“A motivated attacker with automated tools to convert the audio to text and search for specific keywords will almost certainly be rewarded with valuable data,” Appthority said.
...
...
The so-called Eavesdropper vulnerability, disclosed today by Appthority, has been around since 2011 and in apps downloaded likely more than 200 million times.
The researchers privately reported the bug in July; they found 685 enterprise apps (56 percent of them iOS apps) linked to 85 Twilio developer accounts. Many of the apps have been removed from the respective Apple and Google stores but as of August, 75 still remained on Google Play and 102 on the App Store.
“The affected Android apps had been downloaded up to 180 million times,” Appthority said. “Approximately 33 percent of the Eavesdropper apps found are business related. The exposure has been present since 2011. The scope of the exposure is massive including hundreds of millions of call records, minutes of calls and audio recordings, and text messages.”
Appthority said the hardcoded credentials afford an attacker “global access” to metadata in the developers’ Twilio accounts, including text messages, call metadata and recordings.
“Eavesdropper poses a serious enterprise data threat because a would-be attacker could access confidential knowledge about a company’s business dealings and make moves to capitalize on them for extorting actions or personal gain,” Appthority said, adding it did not listen to any of the exposed recordings, but based on the types of apps, it’s not far-fetched to assume sensitive business transactions were discussed and negotatied on these calls.
“A motivated attacker with automated tools to convert the audio to text and search for specific keywords will almost certainly be rewarded with valuable data,” Appthority said.
...
...