Researchers have uncovered a flaw in the way thousands of people store data online, leaving users’ personal information, including passwords, addresses, door codes and location data exposed, to be used by hackers.
German researchers found 56 million items of data in the applications, including games, social networks, messaging, medical and bank transfer apps, in danger of being hacked.
“In every category we found an app that was in danger of being hacked,” said Siegfried Rasthofer, a member of the team from Fraunhofer Institute for Secure Information Technology and Darmstadt University of Technology.
The number of records likely to be affected “could be in billions,” said team leader, Eric Bodden. The problem is in the way developers validate users’ when storing their data in online databases, he added.
Most such apps use services such as Amazon’s Web Services or Facebook’s Parse to store, share or back up users’ data.
These services offer ways for developers to protect the data based on letters and numbers embedded in the software’s code, which is known as a token.
Hackers extract and tweak the tokens in the app, which gives them access to private data of the users, said Bodden.
The defenseless applications, which they refused to name, number in thousands, and include some on Apple and Google app stores. Google, Apple and Amazon did not respond to questions.
App Developers to Blame
Security researchers say mobile apps face more risk of failing to secure data than those running on desktop or laptop computers. This is because developers are in a rush to release their apps, said Ibrahim Baggili, who runs a cybersecurity lab, at the University of New Haven.
Bryce Boland, Asia Pacific Chief Technology Offer, at internet security company FireEye, said the report reflected deeper problems. He said that, FireEye found developers usually send users’ names and passwords unencrypted, “so it’s not surprising to find them storing them as well”.