Appthority says loophole affects 180 million users :
Cyber security (wikipedia) company Appthority warned Thursday that there was a vulnerability of up to 180 million smart phone owners, so the hackers can exploit the gap to intercept text messages and calls, due to a simple code error within at least 685 application devices Portable, the company explained that the loophole, called Eavesdropper, existed since 2011.
According to Appthority, many programmers, by mistake, provided the necessary credentials to obtain the services provided by Twilio, a cloud-based communications platform located in San Francisco, California, allows the company to make software developers Phone calls, receive, and send text messages programmatically through the application programming interface for their Web service.
The gap requires three steps to implement: reconnaissance, exploitation and flow, so that hackers initially search for applications that use Twilio, and then use a tool such as Stoor Yara to find applications that define strings within applications and then search for the string “Twilio“, once To finish, the hackers can determine the credentials of Twilio
“The hackers can access that data by reviewing the code in the applications,” said Seth Hardy, director of security research at appthority. Then access the data sent through those services, and the results shed light on new threats brought by increased use For third party services such as Twilio, which provides portable apps with functions such as text messaging and voice calls.
Developers can inadvertently provide security vulnerabilities if they do not properly program or set up these services, added the director of security research in the company “This is not an easy thing to Twilio, it’s a common problem across third party services, and often note that if a programmer commits an error with one service the E will do that with other services as well. ”
Many applications use Twilio services to send text messages, make phone calls and deal with other services, and hackers can access relevant data if they log on to the developer’s accounts on Twilio, these errors are considered to be caused by developers and not Twilio, and warns The website of Twilio software developers that their film by leaving the credentials within the application may disclose the account for hackers.
“The company has no evidence that the hackers have used the encrypted credentials in the applications to access customer data, but work with developers to change credentials for affected accounts.”
In a survey conducted in July, Appthority reached 1100 applications to 685 unprotected application (44% Android and 56% IOS applications) linked accounts of up to 85 developers, the figure dropped at the end of August to 102 applications still in the Apple store and 75 applications still exist in the mat Drag Google play.