Researchers at Bitdefender, an antivirus solutions provider, discovered that Android app Instapaper is vulnerable to “man-in-the-middle attacks” which could expose users’ login credentials.
When users of the app sign in to a WiFi network that is being monitored by hackers, their usernames and passwords could be intercepted using a fake certificate and a traffic-intercepting tool.
This is a serious problem because many people use the same password for multiple accounts, meaning it might not just be Instapaper accounts that become vulnerable.
Instapaper, which allows users to save and store articles to read later, works by saving web pages as text only and formatting their layout for tablets or phone screens.
“The vulnerability lies not in the way the application fetches content but in the way it implements, or in this case, doesn’t implement, certificate validation,” explained Catalin Cosoi, chief security strategist at Bitdefender.
Although communication is handled via HTTPS – a protocol for secure communication over a computer network – the app performs no certificate validation, Bitdefender claims.
If someone were to perform a man-in-the-middle attack, they could use a self-signed certificate and start ‘communicating’ with the application.
Bitdefender (unsurprisingly) says users are highly encouraged to install a security solution that will warn of risky apps that could leak information to strangers.