Appthority released research today on a newly discovered vulnerability dubbed Eavesdropper. This is yet another case where enterprise data is leaked from mobile devices, in this scenario by legitimate app developers failing to secure cloud storage (specifically, by including hard coded credentials in mobile applications that are using the Twilio REST API or SDK).
Quoting from Appthority's blog,
Eavesdropper does not rely on a jailbreak or root of the device, take advantage of a known OS vulnerability, or attack via malware.In other words, Eavesdropper does not result from malicious code on the mobile device. The vulnerability is app developer error, pure and simple, and the exposure is not on the device but in the cloud. But this error, multiplied by hundreds of apps and millions of downloads, causes text/SMS messages, call metadata, and voice recordings to be exposed to any and all comers. Once the data is exposed, malicious actors can easily find it and launch an attack based on that data. The "attack" may be cyber or it may be in the real world, based on proprietary knowledge acquired from the exposed enterprise data.
Headlines about the latest malware threat get our attention, but there are no known malware attacks that have exposed nearly the amount of data--measured in terabytes--as Eavesdropper and HospitalGown. As we've noted previously, data leakage from mobile devices is a real, demonstrable threat but enterprises often focus on malware and legacy endpoint paradigms. A broader perspective than simply a focus on the device is required to detect and remediation such threats and protect enterprise data.
No comments:
Post a Comment