Eavesdropper vulnerability leaves 180 million smartphone users exposed to hackers

Eavesdropper vulnerability leaves 180 million smartphone users exposed to hackers

Eavesdropper vulnerability leaves 180 million smartphone users exposed

A coding error, dubbed Eavesdropper, in a third-party service which is used by up to 685 mobile apps for text messaging and audio calls, exposed sensitive data of up to 180 smartphone users to hackers.

Eavesdropper vulnerability in third party service Twilio allowed hackers to access a large metadata stored in Twilio accounts.

Even though there is no evidence of hackers actually exploiting the said vulnerability, security research firm Appthority said that the flaw potentially exposed text/SMS messages, call metadata, and voice recordings in as many as 685 apps used by over 180 million people to hackers.

'Eavesdropper poses a serious enterprise data threat because a would-be attacker could access confidential knowledge about a company’s business dealings and make moves to capitalize on them for extorting actions or personal gain,' said the firm.

'We believe that the data may potentially include business and personal discussions such as negotiations, pricing discussions, confidential recruiting calls, proprietary product and technology disclosures, health diagnoses, market data, and M&A planning. A motivated attacker with automated tools to convert the audio to text and search for specific keywords will almost certainly be rewarded with valuable data,' it added.

The said vulnerability emerged when Twilio's developers, in violation of documented guidelines for secure use of credentials and tokens, erroneously configured all apps that used Twilio's services to leak audio and message-based communications. The same could be accessed by malicious actors without performing malware injections or gaining root access to devices.

The Eavesdropper vulnerability was first discovered by the firm in April and was subsequently patched by Twilio. Initially, the firm found that as many as 685 apps were affected by the flaw, with 56% and 44% of them being iOS and Android apps.

'As of the end of August 2017, 75 of these apps were available on Google Play, and 102 were on the App Store. The affected Android apps had been downloaded up to 180 million times. Approximately 33% of the Eavesdropper apps found are business related,' the firm noted.

Appthority added that the said Eavesdropper vulnerability was also noticed in Amazon Cloud Storage data. The firm noted that as many as 40% of vulnerable apps also had Amazon credentials exposed that included credentials for 2,030 Amazon accounts in 20,098 apps.

'The data exposure is much larger than just the mobile app’s resources. S3 bucket names are globally unique, encouraging them to be descriptive, and usually limited to 100 per account, which often leads to data not being properly compartmentalized.

'Based on the names of the buckets, credential leakage often exposes information including the developers’ Amazon infrastructure and network resources, including company information such as customers and sales data through database backups,' the firm added.

Copyright Lyonsdown Limited 2021

Top Articles

It’s time to upgrade the supply chain attack rule book

How can infosec professionals critically reassess how they detect and quickly prevent inevitable supply chain attacks?

Driving eCommerce growth across Africa

Fraud prevention company Forter has partnered with payments technology provider Flutterwave to drive eCommerce growth across Africa and beyond.

Over 500,000 Huawei phones found infected with Joker malware

The Joker malware infiltrated over 500,000 Huawei phones via ten apps using which the malware communicates with a command and control server.

Related Articles