Μεγάλο κενό ασφαλείας επηρεάζει περίπου 1000 iOS εφαρμογές του App store καθιστώντας τες ευάλωτες σε κακόβουλες επιθέσεις, σύμφωνα με πρόσφατη έκθεση της SourceDNA.
Το κενό ασφαλείας εντοπίστηκε πριν περίπου 1 μήνα και διορθώθηκε με αναβάθμιση σε συγκεκριμένο open source library που χρησιμοποιεί πολύ μεγάλη μερδία των developers, ωστόσο όπως φαίνεται υπάρχουν περίπου 1000 apps που παραμένουν ευάλωτα.
AFNetworking recently had a major security flaw. Due to lack of SSL cert validation, the proverbial coffee shop attacker could easily bypass SSL and see all your app's user credentials and banking data. We decided to track down apps that were still using the vulnerable version of AFNetworking and notify their developers so they could patch the flaw.
First, we had to determine the vulnerability window. We found the AFNetworking flaw was present in the Github repo from January 24 through March 25. More importantly, it had been released as version 2.5.1on February 12 before being fixed in version 2.5.2. Any developer who updated their app during that window could have integrated the vulnerable library.
We then uploaded three versions of AFNetworking: before, during, and after the flaw. SourceDNA created a differential fingerprint from them to find the vulnerable code. Think of this as a set of unique characteristics that were present or absent only in the targeted version and not any others before or after it. With this set of signatures, our analysis engine would tell us exactly which version of AFNetworking was in use in each app.
We currently track AFNetworking, along with about 1,500 other commercial and open-source SDKs. This includes code written in Java, Objective-C, Swift, C/C++, C#, Lua, and JavaScript for libraries that provide analytics, game engines, ads, payments, and every other service. This data helps platform vendors track their market share versus competitors and plan their product roadmap.
The day the flaw was announced & patched, a quick search in SourceDNA showed about 20,000 iOS apps (out of the 100k apps that use AFNetworking) both contained the AFNetworking library and were updated or released on the App Store after the flawed code was committed. Our system then scanned those apps with the differential signatures to see which ones actually had the vulnerable code.
The results? 55% had the older but safe 2.5.0 code, 40% were not using the portion of the library that provides the SSL API, and 5% or about 1,000 apps had the flaw.
Are these apps important? We compared them against our rank data and found some big players: Yahoo!, Microsoft, Uber, Citrix, etc. It amazes us that an open-source library that introduced a security flaw for only 6 weeks exposed millions of users to attack.
Στο link που ακολουθεί μπορείτε να ψάξετε τις εφαρμογές που έχετε εγκατεστημένες και να ενημερωθείτε για το αν κάποια από αυτές διαθέτει το εν λόγω κενό ασφαλείας: searchlight.sourcedna.com