Application Security

7/6/2018
10:15 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Trading Platforms Riddled With Severe Flaws

In spite of routing trillions of dollars of stock and commodity trades every day, financial cousins to online banking applications are written very insecurely.

While many banking application developers have made great strides in hardening their software from attacks, much of the rest of the fintech application field is wide open for ownage through very basic but severe vulnerabilities reminiscent of the kind we saw nearly a decade ago.

Next month at Black Hat USA, a researcher from IOActive will detail some stark examples of this during a presentation that will show the depths of flaws found present in stock-trading platforms used by millions of traders around the globe.

"When I'm testing a web platform or mobile platform, it is as if I'm testing an application from 2010 or 2012," says Alejandro Hernandez, senior consultant for IOActive. This is a follow-on from initial research he presented last year on a limited number of mobile-trading applications. This year, he expanded the scope to desktop, web application, and mobile-trading software offered by a wide range of financial institutions. 

Hernandez found a universal lack of security controls up and down the list of 79 applications he tested. Across all three categories, he saw examples of decades-old protocols being used for communication that were sending transmissions unencrypted. He also found examples of unencrypted storage, unencrypted log files, and no enforcement for strong password policies or automatic logout.

"You'd think by the nature of the technology that these kind of technologies would be super secure," Hernandez says. "You assume, well, if my mobile-banking app or home-banking websites are secure – or at least somewhat secure – that trading applications where trillions of dollars are traded per day would also be secure. But that's not the case."

Specifically in mobile-trading applications, Hernandez found many did not even perform SSL certificate validation to prevent man-in-the-middle attacks. Additionally, few of them had any kind of anti-reversing mitigations; upon reverse-engineering them, he found that most included hard-coded secrets in the code. In the web applications, he found session cookies still created without security flags and very few of them using HTTP security headers. 

Meantime, because the desktop applications include full feature sets, they have even more interesting flaws due to a larger attack surface. For example, the desktop applications frequently use a customized programming language that make it easy for traders to install add-ons and plug-ins. But this feature also opens them up to being easily tricked into installing malicious plug-ins, such as a malicious trading robot or malicious financial indicator function. Similarly, the way these desktop applications are designed to interact and communicate with other trading technologies, they're frequently wide open to denial-of-service (DoS) conditions.  

The applications tested are primarily used by consumer investors, but Hernandez says a number of institutional investors also rely on them. The malicious applications of all these flaws are seemingly limitless. In addition to run-of-the mill identity theft, bad actors could use information stolen from well-known traders to shape the way they invest. They could perform DoS attacks, and these flaws could be used to install backdoors and other hostile code that most traders wouldn't ever be able to detect.

"And this research I did only scratches the surface," Hernandez says. "It's only the end-user platforms. We haven't tested the back-end services, the back-end networks, or the back-end protocols they use in exchanges."

Related Content: 

 

 
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ronrob123
50%
50%
ronrob123,
User Rank: Apprentice
7/25/2018 | 2:31:45 PM
crypto scams
How can we route out the the theiving rogues who take your money on the pretence of investing your funds then NEVER give it back when you want it, although they tell you the money is yours at ALL times, do you think that we could approach the owners of their ip address to get them to put pressure on them to either do what they say or get exposed?. 

  And yes I have been conned out of £7332 by a company called "digitalgoldxchange.com" with an ip address of (sorry) [23.83.222.3] (that is the originating ip address)
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.