Hundreds of iOS apps could leak AWS credentials
Hundreds of mobile apps have leaked Amazon Web Services (AWS) credentials.
A recent analysis by Symantec (opens in a new tab) identified 1859 publicly available apps, 98% of which are iOS apps, that contain encrypted AWS credentials that could put your data at risk.
The company found that more than three-quarters (77%) of applications contained valid AWS access tokens that allowed access to private services in the AWS Cloud, and almost half (47%) contained valid AWS access tokens. which also provided full access to many, often millions. , of private files through Amazon Simple Storage Service (Amazon S3).
AWS password leaks
According to security researcher Kevin Watkins, some of the reasons for the vulnerabilities include unknown use of vulnerable third-party software libraries and SDKs, outsourcing of application development, and cross-team collaboration that could present many missing and ineffective communication opportunities.
The analysis highlights three specific examples of affected companies. The first, an anonymous B2B company that provides an intranet and communications platform, provided its customers with a mobile SDK that exposed keys to the company’s cloud infrastructure, exposing things like financial records and private data.
The second example cites a number of iOS banking apps that have outsourced the digital identification and authentication component of their respective apps. The affected users’ personal data from this SDK has been exposed, including their names and dates of birth. In addition, five banking apps leaked over 300.000 biometric fingerprints.
Finally, a hospitality and entertainment company that partnered with another company to share its technology platform found itself exposing customer and business data from a library used by 16 different apps.
The results of the investigation have been shared with the affected companies, but it is not yet known whether the issues have been resolved with immediate effect.
Via Bleeping Computer (Opens in a new tab)
Leave your comment