Security researcher Will Dormann of the US Computer Emergency Response Team (CERT) has reported this week that over 350 apps from the Google Play and Amazon App stores have been compromised due to a flaw that fails to validate certificates over a secure socket layer.
The bug, which opens up many popular mobile applications such as the eBay mobile shopper and the Microsoft Tech Companion to fairly rudimentary man-in-the-middle attacks, has been tracked and logged by the CERT team for only about a week now.
But instead of waiting the standard 45-days to silently communicate the problem to the affected companies in order to give them a chance to get out in front of the issue with appropriate patches, CERT has opted to go public as soon as possible due to the severity and wide reaching implications of what the attack could do if left unchecked for too long.
Due to the sheer number of affected programs, CERT has posted a document which is being constantly updated that should give any developers wrapped up in the breach the chance to check in and see whether or not their code is at risk of an attack.
Perhaps most worryingly is the weaknesses of the Coles Credit Card app, which is used to pay for groceries and goods at the Australian supermarket chain. If properly exploited, the hole could allow deviants to sniff out financial information, which might then be used to steal a user’s identity without their knowledge.
By simply cracking the username/password combos on the app, attackers would then be able to read through all the stored credit and debit cards on a person’s phone, which can easily be duped onto faux cards and drained at an ATM or used for large purchases at various retailers who are known for looking the other way when it comes to checking the ID of the person standing at the cashier.
CERT has advised all users of Google Play and the Amazon line of mobile devices to keep a close eye on their list to check if any of their installed apps pop up within the next several weeks. They also instruct anyone who gets a match to immediately uninstall any apps that could still be vulnerable until a patch can be applied across all the affected platforms.