AWS Key Is Found to Leaking in Over 40 Apps with More Than 100 Million Installs

You are currently viewing AWS Key Is Found to Leaking in Over 40 Apps with More Than 100 Million Installs

Users tend to trust the apps of the app store blindly. They believe that the apps are always safe to be downloaded and used. But this not the case every time.

A cyber security and machine learning company CloudSEK understood the need for a platform where the users can search and check the app security rating and other such security issues regarding the app. To identify these pitfalls and issues of vulnerability on a large scale, this company came up with a platform named BeVigil.

Hacker News shared the report where according to BeVigil, there are over 40 apps which cumulatively have more than 100 million downloads, have Amazon Web Services (AWS) keys that are hardcoded embedded within them. This put the data of the users at the risk of leak due to cyber-attacks.

Popular Apps leaking AWS keys

The leak o AWS is not limited to only small-scale apps but also major applications like Adobe Photoshop Fix, Adobe Comp, Hootsuite, IBM’s Weather Channel, etc. BeVigil analysed over 10,000 apps and these reports are based on the analysis.

” AWS keys hardcoded in a mobile app source code can be a huge problem, especially if it’s [Identity and Access Management] role has wide scope and permissions,” CloudSEK researchers said. “The possibilities for misuse are endless here, since the attacks can be chained and the attacker can gain further access to the whole infrastructure, even the code base and configurations.”

For example, in an app analysed by the cyber security firm, they detected that the AWS key had access to multiple AWS services. These include credentials for S3 storage services. These give the access to 88 buckets which contain 10,073,444 files and data which add up to 5.5 terabyte.

Data breaches through misconfigured AWS which are accessible in the internet has become common in the recent times. In October 2019, Imperva, a cybersecurity firm, revealed that information from a subset of its Cloud Firewall Product which remained unspecified was seen to be accessible online after a botched cloud migration of their customer database which began in 2017.

Another incident occurred last month, India based stock brokerage and discount platform named Upstox faced a security incident caused by a notorious hacking group called ShinyHunters accessed their AWS S3 buckets which were improperly configured.

Conclusion-

Mobile users should be careful while downloading any software from any website and try to use search engines like BeVigil to check the security features of the application before putting in any personal or sensitive information.

Leave a Reply