Vulnerabilities / Threats
11/5/2010
11:21 AM
50%
50%

Vulnerabilities Found In Banking Apps

Security holes in Android and iPhone apps from PayPal, Bank of America, Chase, Wells Fargo, and more could give attackers access to financial data.

Top 20 Android Productivity Apps
(click image for larger view)
Slideshow: Top 20 Android Productivity Apps

Smartphone banking applications from Bank of America, Chase, PayPal, TD Ameritrade, USAA and Wells Fargo have bugs that an attacker could exploit to steal people's personal financial information. So said digital forensics firm viaForensics in a security warning released Thursday. The security flaw was not found in the firm's testing of a Vanguard Group smartphone banking app.

"We encountered a surprising and increasing amount of highly sensitive financial and identity information on smartphones," said Andrew Hoog, CIO of viaForensics. "This information, uncovered on both Apple iPhones and Google Android devices, would only benefit cyber criminals and identity thieves. While Google and Apple each approach the app review process differently, neither approach has prevented insecure applications from being installed."

Hoog said that his company began "communicating and coordinating with the financial institutions to eliminate the flaws" on Monday, and that the vulnerability announcement reflects how the applications performed as of Wednesday. "Since that time, several of the institutions have released new versions and we will post updated findings shortly."

Major vulnerabilities encountered included some applications failing to validate security certificates, leaving them vulnerable to man-in-the-middle attacks. Such attacks could recover "full user name, password, and account data," said Hoog. Other applications failed to encrypt transmitted passwords, sending them as clear text. Others inappropriately "saved your data to the smartphone, allowing recovery of all financial information viewed in the application."

One organization that moved to quickly retool its mobile application was PayPal, a division of eBay. On Thursday, PayPal spokeswoman Amanda Pires told the Wall Street Journal that PayPal had submitted a new version of its application to the Apple App Store for review on Tuesday evening, and that there was no evidence of attackers having exploited the vulnerability. "To my knowledge it has not affected anybody," she said. PayPal also said it would fully reimburse anyone who lost money as a result of the vulnerability. The affected PayPal application had been downloaded 4 million times.

The bug disclosure comes on the heels of PayPal's announcement last week that it expects to process more than $700 million in mobile payments by the end of the year.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9710
Published: 2015-05-27
The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time windo...

CVE-2014-9715
Published: 2015-05-27
include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that trig...

CVE-2015-2666
Published: 2015-05-27
Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to t...

CVE-2015-2830
Published: 2015-05-27
arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrate...

CVE-2015-2922
Published: 2015-05-27
The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.