Security researchers this week revealed a flaw in several popular banking apps which could have exposed as many as 10 million customers to Man in the Middle (MITM) attacks.
The vulnerability in question stems from the fact that the affected apps’ cryptographically signed certificate failed to verify the hostname on the server it attempted to connect with.
This could allow malicious third parties on the same network as the victim to step in and take control of an online banking session, intercepting usernames and passwords to hijack an account.
Certificate pinning, a feature intended to prevent use of fraudulent certificates, actually meant that the flaw went undetected in standard tests, according to the University of Birmingham researchers that discovered it.
After running a newly developed testing tool dubbed “Spinner”, they found several of 400 “security critical” apps vulnerable, including HSBC, NatWest, and Co-op.
The researchers also detailed an “in app phishing attack” affecting Santander and Allied Irish Bank apps. It could have allowed an attacker to hijack part of the user’s screen and use it to phish for the target’s log-ins.
The university worked with the National Cyber Security Centre (NCSC) and all affected banks to resolve the problems before they were publicized this week at the annual Computer Security Applications Conference in Orlando.
“In general, the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed,” said researcher Tom Chothia.
“It’s impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network.”
Ilia Kolochencko, CEO of web security company, High-Tech Bridge, argued that most mobile apps have been riddled with vulnerabilities for years.
“This can be explained by a lack of experienced developers, a careless attitude towards mobile application security in many organizations and the relative complexity of practical exploitation of mobile app flaws,” he added.