"Every single issue is an imminent threat to all users using that app," AppBugs warns. "Once an attacker knows an app is vulnerable to brute force, this person can launch immediately attacks to guess user’s password from the web service of the vulnerable app on all user accounts."As with the iCloud leak, AppBugs' study reveals that these apps, which include iHeartRadio, CNN, and Walmart, do not set a limit on the number of times a user can try to access their account.
AppBugs is right. According to a research paper written by Joseph Bonneau of the University of Cambridge, passwords in general contain between only 10 and 20 bits of security against any form of attack.
An attacker who can make a login attempt to a vulnerable app service at least 30 times a minute can therefore successfully crack a password using between 1,024 and 1,048,576 guesses, the latter of which can be completed within at most 24 days. Depending on the strength of any given password, the time required to break a password may decrease to as little as half an hour.Some app developers have attempted to counter this vulnerability by deploying web application firewalls (WAF) or other rate limiting techniques that can reset a connection with a particular IP address after a certain number of login attempts. However, AppBugs observes that these mitigation strategies do not work.
"Resetting the connections will just slow down the attacks. The attacker can simply make less connections in every minute to circumvent the defense. Blocking some IP addresses will just force the attackers to use some other IP addresses. For real attackers with a botnet, this is totally not an issue."Most attackers do not operate under such constraints, however.
"Attackers have no problem launching the attacks from multiple IP addresses on multiple user accounts in parallel and often can make guesses more than 30 times per minute," AppBugs notes. "If today the attacker launches such attack against most user accounts in parallel, he will be able to get most user passwords within 24 days."So far, AppBugs has released the names of 15 apps after giving them 30 days to fix their password brute force attack vulnerabilities. Only three of those—Wunderlist, Dictionary, and Pocket—have issued fixes. Unless they request extensions, AppBugs intends to release the names of the remaining 38 apps on July 30. To learn more about AppBugs and its efforts to help strengthen mobile security, please visit the company's website here. Title image courtesy of ShutterStock