Bad Login Services Implementation Exposes 56 Million Credentials

Researchers from the Darmstadt and Fraunhofer University of Technology in Germany have investigated a number of cloud databases in response to their growing popularity among mobile users looking to sync their data across a number of devices.

The team, led by Professor Eric Bodden, specifically examined login processes using services from Amazon, Google and Facebook, with a focus on apps from Google’s Play Store and Apple’s App Store.

In all, the scientists tested some 750,000 apps using a number of internally developed tools as they examined how they use Backend-as-a-Service to store data.

Some apps were found to be sharing public data – which doesn’t generally constitute any kind of security risk – but many of those tested also shared confidential data, such as:

  • Email addresses
  • Full names
  • Location data
  • Postal addresses
  • Passwords
  • Stored photos, audio and video recordings
  • Facebook data
  • Health records
  • Financial transactions
  • Detailed device information
  • Access to web-based storage plans and devices

Given the scope of crimes that could be perpetrated against someone with the above information – including identity theft and banking fraud – Professor Bodden issued the same type of warning that security researchers have been offering over the last few years, namely that:

Users should take care what kind of data they trust their apps with.

That, the team says, is because developers are not following the security recommendations they have been given:

When app developers include a BaaS into their app with just a few lines code, this typically constitutes an insecure usage of the service. All cloud providers extensively document on their webpages how apps must include the BaaS such that secure access to the data is guaranteed. Most developers seem to be missing this crucial piece of information, though, and opt for the simple but insecure usage of the service, probably not even aware that they are putting their user’s data at risk.

The researchers determined that almost every app they tested gave access to the associated data via an embedded secret key which could easily be extracted by anyone with a deep level of mobile application code knowledge.

Due to the large number of suspicious apps, as well as legal restrictions, the researchers were only able to perform detailed analysis on a relatively small percentage of all the apps in the two marketplaces but, even so, Bodden said they were able to conclude that:

Our findings and the nature of the problem indicate that an enormous amount of app-related information is open to identity theft or even manipulation.

In a demonstration of responsible disclosure, the team shared its findings with the German Federal Office for Information Security (BSI) as well as cloud providers, with Bodden saying:

With Amazon’s and Facebook’s help we also informed the developers of the respective apps and they really are the ones who need to take action because they underestimated the danger.

So what can you do to protect your data from exposure in this manner?

According to the researchers, not much.

They say bad practice is so commonplace that the thousands of vulnerable apps they discovered are likely to be just the tip of the iceberg. There’s also no way for the average person to know whether a given app is using a BaaS insecurely or otherwise.

Therefore, their suggestion is to only rely upon apps that have been validated for security by third parties.

Business Assurance in the 21st Century

As you may recall from my “Outlook is Cloudy” post I am the Chief Operations Officer for the Common Assurance Maturity Model (CAMM).  I have been involved with CAMM for nearly two years and it has been a pleasure to work with some brilliant minds and excellent people on the project.  Earlier this week the “Business Assurance in the 21st Century” whitepaper (PDF File) was released.

This whitepaper was developed by a number of key organisations, such as The Shared Assessments Program; the Information Security Forum (ISF); the Cloud Security Alliance (CSA); the Payment Card Industry (PCI); the Common Assurance Maturity Model (CAMM); and ISACA.  The whitepaper outlines the plans of the above organisations to create a global repository of assessments for assurance of the IT supply chain (including cloud services).  In addition this “initiative and repository should be independent and ‘not for profit’ in order to ensure its focus, provide transparency and secure wider endorsement”.

The full whitepaper can be downloaded from the CAMM website.

Keep an eye out for more exciting announcments from CAMM over the coming weeks.

Outlook is Cloudy

Cloud computing has become an exciting evolution in how we deliver, access and use services over the Internet.  The Cloud offers organisations many benefits and opportunities.  However, these opportunities and benefits do not come without a number of security risks that need to be considered.
Ireland is uniquely positioned to handle these issues.  In an article with the CSO Online Magazine titled “Ireland hopes security measures attract big cloud providers” I outline a number of these benefits.  In my opinion these benefits include the high quality of information security professionals that are based here, our experience in managing and running large datacentres and the cloud security research that is going on in various universities.
I have also taken on some active roles to ensure that we as an industry can address the security challenges the cloud present.  To this end I am happy to say I have been appointed the Chief Operations Officer for the Common Assurance Maturity Model (CAMM).  The objectives of CAMM are to:
  • Provide a framework to in support of necessary transparency attesting the Information Assurance Maturity of a Third Party Providers & Suppliers (e.g. Cloud providers).
  • Publication of results in an open and transparent manner, without the mandatory need for third party audit functions, or due diligence engagements.
  • Allow for data processors to demonstratively publicise their attention to Information Assurance in comparison to other supplier’s levels of compliance, and security profiles.
  • Negating the operational requirement for time consuming, expensive, subjective, and resource intensive bespoke arrangements to attest security and compliance.
I have also taken a position on the board of the UK and Irish Chapter of the Cloud Security Alliance.  The Cloud Security Alliance (CSA) is a “not-for-profit organisation with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.” We have some exciting events planned, including a chapter meeting in Dublin to be held later this year, so watch this space.  If you are interested in cloud security you should join the UK and Irish Chapter of the Cloud Security Alliance as it will provide you with the resources to develop and hone the skills required for this evolving environment.
If you are wondering what are the security challenges that we face with moving to the cloud I recommend that you read the Cloud Security Guidance White Paper from the Cloud Security Alliance and also ENISA’s excellent white paper on Cloud Computing.
You can also review my presentation on the Cloud Security below;