1859 apps contain hardcoded AWS credentials – IT Security Guru

Security researchers have identified 1,859 apps on Android and iOS that contain hard-coded Amazon Web Services (AWS) credentials. This poses a huge security risk.

Symantec’s Threat Hunter team, part of Broadcom Software, wrote in a report that “more than three quarters (77%) of applications contained valid AWS access tokens allowing access to private AWS cloud services” .

Over 50% of apps were found using the same AWS tokens found in other developer and enterprise managed apps. This could be an indication of a supply chain vulnerability.

“AWS access tokens could be traced to a shared library, third-party SDK, or other shared component used in application development.”

These credentials are typically used to access configuration files, authenticate to other cloud services, and download resources needed for application functionality.

Worryingly, nearly 50% of identified applications contained valid AWS tokens that granted full access to private files and Amazon Simple Storage (S3) buckets in the cloud. This included access to data backups and infrastructure files.

Additionally, the report found that five iOS banking apps, which rely on the same AI digital identity SDK, contained cloud credentials, essentially leaking fingerprint information from over 300 000 users.

A particularly alarming case discovered by Symantec involved an anonymous B2B company offering an intranet and communications platform that also provided a mobile software development kit (SDK) to its customers. The anonymous company had its cloud infrastructure keys integrated into the SDK to access the translation service.

This meant that all of its customer data was exposed. It is believed to have encompassed corporate data and financial records belonging to more than 15,000 medium and large companies.

“Instead of restricting the use of the hard-coded access token with the translation cloud service, anyone with the token had full, unfettered access to all of the B2B enterprise’s AWS cloud services.”

The company noted that it has alerted organizations to issues discovered in their apps.

Basically, the API remains a hot topic of discussion in cybersecurity spheres.

Comments are closed.