Hundreds of mobile apps have been detected leaking Amazon Web Services (AWS) credentials.
Recent Symantec analysis (opens in a new tab) 1,859 publicly available applications were identified, 98% of which are iOS applications that contain encrypted AWS credentials that could put your data at risk.
The company found that more than three-quarters (77%) of applications contained valid AWS access tokens for accessing private AWS cloud services, and nearly half (47%) contained valid AWS tokens, which also provided full access to many, often millions , private files via Amazon Simple Storage Service (Amazon S3).
Password leaks to AWS
According to security researcher Kevin Watkins, some of the causes of the vulnerabilities include the unknown use of vulnerable external software libraries and SDKs, outsourcing of application development, and collaboration between teams that can create many opportunities for information loss and ineffective communication.
The analysis highlights three real examples of affected companies. The first unnamed B2B company to provide an intranet and messaging platform provided its customers with a mobile SDK that exposed the keys of the company’s cloud infrastructure by revealing things like financial data and private data.
The second example cites a series of iOS banking apps that outsourced the digital ID and authentication component of their respective apps. Personal information about affected users of this SDK has been disclosed, including names and dates of birth. In addition, more than 300,000 biometric digital fingerprints leaked from five banking applications.
Finally, a hospitality company that teamed up with another company to release its technology platform revealed business and customer data from a library that was used by 16 different apps.
The research results have been shared with the companies involved, but it is not yet known whether the problems have been resolved with immediate effect.
By A hissing computer (opens in a new tab)