Researchers found that app developers are not using authentications for cloud services properly, leaving millions of user accounts vulnerable to attack.
A team from Germany’s Darmstadt University of Technology and Fraunhofer Institute for Secure Information Technology investigated cloud databases such as Facebook’s Parse and Amazon’s AWS and found 56 million sets of unprotected data, including email addresses, password and health records, which can be easily stolen and manipulated.
App developers use cloud databases to store user data but “apparently ignore the security recommendation given by the cloud providers,” said the study, which means that “many user accounts are threatened by identity theft and other cybercrimes.”
The researchers explained that many apps store user information in cloud databases, for instance to ease synchronisation between Android and iOS apps. Cloud providers offer different authentication methods according to the information’s sensitivity.
The weakest form of authentication, meant to identify rather than to protect the data, uses a simple API-token, a number embedded into the app’s code. With current tools, it is not hard for attackers to extract these tokens to access the data.
As a result, they could sell email addresses on the underground market, blackmail users, deface websites or insert malicious code to spread malware or build botnets.
To properly protect private data, apps must implement an access-control scheme, the researchers recommend.
The team has informed cloud providers and the German Federal Office for Information Security (BSI), but it is the developers who need to get their act together.
“With Amazon’s and Facebook’s help we also informed the developers of the respective apps and they really are the ones who need to take action because they underestimated the danger”, said Eric Bodden, leader of the joint research team.
The researchers said they had no documented evidence that the flaw had been exploited and did not name the vulnerable apps, according to Reuters, but they number in the tens of thousands.
The report said that Apple staff plan to incorporate warnings to developers to double check their security settings before uploading apps to its App Store, while Facebook said it is working with affected developers but gave no detail.