Application Security

7/6/2018
10:15 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Trading Platforms Riddled With Severe Flaws

In spite of routing trillions of dollars of stock and commodity trades every day, financial cousins to online banking applications are written very insecurely.

While many banking application developers have made great strides in hardening their software from attacks, much of the rest of the fintech application field is wide open for ownage through very basic but severe vulnerabilities reminiscent of the kind we saw nearly a decade ago.

Next month at Black Hat USA, a researcher from IOActive will detail some stark examples of this during a presentation that will show the depths of flaws found present in stock-trading platforms used by millions of traders around the globe.

"When I'm testing a web platform or mobile platform, it is as if I'm testing an application from 2010 or 2012," says Alejandro Hernandez, senior consultant for IOActive. This is a follow-on from initial research he presented last year on a limited number of mobile-trading applications. This year, he expanded the scope to desktop, web application, and mobile-trading software offered by a wide range of financial institutions. 

Hernandez found a universal lack of security controls up and down the list of 79 applications he tested. Across all three categories, he saw examples of decades-old protocols being used for communication that were sending transmissions unencrypted. He also found examples of unencrypted storage, unencrypted log files, and no enforcement for strong password policies or automatic logout.

"You'd think by the nature of the technology that these kind of technologies would be super secure," Hernandez says. "You assume, well, if my mobile-banking app or home-banking websites are secure – or at least somewhat secure – that trading applications where trillions of dollars are traded per day would also be secure. But that's not the case."

Specifically in mobile-trading applications, Hernandez found many did not even perform SSL certificate validation to prevent man-in-the-middle attacks. Additionally, few of them had any kind of anti-reversing mitigations; upon reverse-engineering them, he found that most included hard-coded secrets in the code. In the web applications, he found session cookies still created without security flags and very few of them using HTTP security headers. 

Meantime, because the desktop applications include full feature sets, they have even more interesting flaws due to a larger attack surface. For example, the desktop applications frequently use a customized programming language that make it easy for traders to install add-ons and plug-ins. But this feature also opens them up to being easily tricked into installing malicious plug-ins, such as a malicious trading robot or malicious financial indicator function. Similarly, the way these desktop applications are designed to interact and communicate with other trading technologies, they're frequently wide open to denial-of-service (DoS) conditions.  

The applications tested are primarily used by consumer investors, but Hernandez says a number of institutional investors also rely on them. The malicious applications of all these flaws are seemingly limitless. In addition to run-of-the mill identity theft, bad actors could use information stolen from well-known traders to shape the way they invest. They could perform DoS attacks, and these flaws could be used to install backdoors and other hostile code that most traders wouldn't ever be able to detect.

"And this research I did only scratches the surface," Hernandez says. "It's only the end-user platforms. We haven't tested the back-end services, the back-end networks, or the back-end protocols they use in exchanges."

Related Content: 

 

 
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14072
PUBLISHED: 2018-07-15
libsixel 1.8.1 has a memory leak in sixel_decoder_decode in decoder.c, image_buffer_resize in fromsixel.c, and sixel_decode_raw in fromsixel.c.
CVE-2018-14073
PUBLISHED: 2018-07-15
libsixel 1.8.1 has a memory leak in sixel_allocator_new in allocator.c.
CVE-2018-14068
PUBLISHED: 2018-07-15
An issue was discovered in SRCMS V2.3.1. There is a CSRF vulnerability that can add an admin account via admin.php?m=Admin&c=manager&a=add.
CVE-2018-14069
PUBLISHED: 2018-07-15
An issue was discovered in SRCMS V2.3.1. There is a CSRF vulnerability that can add a user account via admin.php?m=Admin&c=member&a=add.
CVE-2018-14066
PUBLISHED: 2018-07-15
The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phones, allows SQL injection. One consequence is that an application without the READ_SMS permission can read SMS messages. This affects Infinix X571 phones, as well as various Lenovo p...