Eavesdropper Bug Exposes Millions of Texts, Calls

Share

For example, the Appthority team said they found Twilio credentials in an app used for secure communications by a federal law enforcement agency, and navigation apps for customers such as AT&T and US Cellular.

The vulnerability, which Appthority researchers have dubbed Eavesdropper, was introduced when developers "carelessly" hard coded their credentials in mobile apps using the Twilio Rest API or SDK for communications services. Security experts found that hundreds of apps built around the Twilio service were affected by Eavesdropper.

Up to 180 million smart phone owners are at risk of having some of their text messages and calls intercepted by hackers because of a simple coding error in at least 685 mobile apps, cyber-security firm Appthority warned on Thursday.

Based on their findings, researchers say the scope is in the realm of "hundreds of millions of call records, minutes of calls and audio recordings, and text messages".

Appthority Mobile Threat Protection is the only enterprise mobile security solution that can detect and protect from apps affected with the Eavesdropper vulnerability.

Researchers, however, note that "as of the end of August 2017", 75 of these vulnerable apps were still available on Google Play Store, and 102 on Apple's App Store, adding that exposure has been present since 2011.

Supreme Court disposes petition on framing of MoP for judges' appointments
This matter was taken up for hearing at 12.45 pm after it was mentioned in the morning at 10.30 am. Luthra, a bench of Chief Justice Dipak Misra , Justice A.K.

Secondly, the issue has nothing to do with Twilio or it's API; it's an issue that is entirely created by the app developer. Using the stolen credentials, a hacker could bypass authentication checks and steal user data handled by Twilio and other third-party services.

"The exposed data could potentially contain anything from contract negotiations, pricing discussions, or confidential recruiting calls, to proprietary product and technology disclosures, health diagnoses, market data, and M&A planning."
However, the report claimed that usually large companies review their apps for the security lapse which have been pointed out by Appthority and hence their user data are comparatively safer.

Exploitation: Look out for Twilio credentials, which consist of a Twilio ID and a token/password. Over 30% of the apps affected by the flaw were business-related.

Appthority provided the names of only a couple of apps out of the 685 which are affected in a bid to not "tip off potential hackers", Reuters reported. First, most users are likely unaware of what API their mobile apps use to handle certain features like texts and calls so it is unlikely the average person would be able to spot if an app they are using is vulnerable.

When the credentials are hard-coded into the app, it is possible for an attacker to hijack those credentials by examining the app's code.

Share