Banking Apps Found Vulnerable to MITM Attacks -

Banking Apps Found Vulnerable to MITM Attacks

Credit: threatpost.com

  • Dec 07 2017 19:35About: 7 days ago
  • 7 views

Leading US and UK-based banks have patched a flaw found in their Android and iOS mobile apps that allowed adversaries to conduct man-in-the-middle attacks to steal customer credentials and view and manipulate network traffic.

According to researchers at the School of Computer Science at the University of Birmingham that found the flaw, the vulnerability impacted nine apps belonging to banks such as Bank of America and HSBC and the TunnelBear VPN app.

Researchers outline their findings in an academic paper  (PDF) presented this week at the Annual Computer Security Applications Conference in Orlando, Florida. “This paper shows that certificate pinning can (and often does) hide the lack of proper hostname verification, enabling MITM attacks,” wrote co-authors of the report Chris Stone, Tom Chothia and Flavio Garcia.

The use of certificate pinning allows apps to specify a specific certificate that they trust for a given server. This helps defeat a number of attacks, specifically MITM attacks that rely on spoofing the certificate for a trusted app or website.

What researchers found was a vulnerability in each of the apps’ implementation of the certificate pinning and certificate verification used when creating a Transport Layer Security (TLS) connection. “TLS is a tricky protocol to get right: both misconfiguration vulnerabilities and attacks on the protocol are common.”

For example, last year Mozilla patched a highly scrutinized flaw in its automated update process for browser add-ons tied to the expiration of certificate pins that allowed attackers to intercept encrypted browser traffic, inject a malicious NoScript extension update and gain remote code execution.

“Automated tools do exist to test a variety of TLS flaws,” researcher wrote. “However, none of these tools can detect the possibility that an app will pin to the root or intermediate certificate used but fail to validate the hostname… We argue that conducting large-scale testing in this manner is difficult and expensive.”

As part of an effort to reduce cost and more easily identify pinning-related vulnerabilities at scale researchers released a zero-cost and automated testing tool called Spinner as part of their research.

The Spinner tool allows for more thorough testing of mobile apps, specifically how the apps perform hostname verification. As a result, researchers using Spinner identified ten instances where an app’s certificate pinning  inadvertently masked improper hostname verification, allowing MITM attacks.

“Spinner (is) a new tool for black-box testing for this vulnerability at scale that does not require purchasing any certificates. By redirecting traffic to websites which use the relevant certificates and then analyzing the (encrypted) network traffic we are able to determine whether the hostname check is correctly done, even in the presence of certificate pinning,” researchers wrote.

Those apps that implemented certificate pinning but failed to verify hostnames correctly include: Bank of America Health, TunnelBear VPN, Meezan Bank, Smile Bank, HSBC, HSBC Business, HSBC Identity, HSBCnet and HSBC Private.

“We use Spinner to analyze 400 security-sensitive Android and iPhone apps. We found that 9 apps had this flaw, including two of the largest banks in the world: Bank of America and HSBC. We also found that TunnelBear, one of the most popular VPN apps was also vulnerable,” they wrote.

A typical MITM attack exploiting this flaw entails an attacker and victim sharing the same WiFi network. “Using ARP or DNS spoofing, the victims traffic can be redirected to the attacker… When the victim attempts to use their vulnerable app, the attacker can intercept the TLS handshake and provide the app with a certificate signed by the certificate that the app pins to,” researchers wrote.

University of Birmingham researchers said each of the banks were notified of the flaws in their apps and the vulnerabilities have been mitigated.



Follow Us on Twitter

Using free tool called Spinner researchers identified certificate pinning vulnerabilities mobile banking apps that left customers vulnerable man-in-the-middle attacks.

Related stories with Banking Apps Found Vulnerable to MITM Attacks

Burnham Invited to Curtis Cup Practice Session -World News
Burnham Invited to Curtis Cup Practice Session 7 days ago
Dec. 7, 2017 Michigan State senior Sarah Burnham has been selected as one of 12 players to participate in a practice session in advance of the 2018 Curtis Cup Match. The session for prospective players will take place Dec. 17-18 at Shoal Creek in Alabama,
Davidse edges to early lead at Joburg Open -World News
Davidse edges to early lead at Joburg Open 7 days ago
Keenan Davidse shot an impressive 8-under opening round of 63 to move a shot clear of the chasing pack at the Johannesburg Open in South Africa. Randpark Golf Club hosts the final European Tour event of the year and it was home favourite Davidse who defie
Ford makes way for autonomous car facility by moving new EV plant to Mexico -World News
Ford makes way for autonomous car facility by moving new EV plant to Mexico 7 days ago
Filed under: Plants/Manufacturing,Ford,Autonomous,Electric,Hybrid The move means an additional $200 million and 150 more jobs for Flat Rock.Continue reading Ford makes way for autonomous car facility by moving new EV plant to Mex
Senator Al Franken announces resignation because of sexual harassment charges -World News
Senator Al Franken announces resignation because of sexual harassment charges 7 days ago
Democratic Senator Al Franken said on Thursday he plans to resign after more than a half-dozen women came forward over the past several weeks with allegations that he touched them improperly or made unwanted sexual advances. Franken also disputed some of
Cute Honda robots coming to 2018 CES -World News
Cute Honda robots coming to 2018 CES 7 days ago
Filed under: CES,Honda,Emerging Technologies,Autonomous Plus a portable, swappable battery pack for EVs and a recharging system.Continue reading Cute Honda robots coming to 2018 CES Cute Honda robots coming to 2018 CES orig
Pantone Just Released Their 'Color of the Year' -World News
Pantone Just Released Their 'Color of the Year' 7 days ago
Get ready to see Ultra Violet everywhere.
Beyond Good & Evil 2 characters, ships, story detailed -World News
Beyond Good & Evil 2 characters, ships, story detailed 7 days ago
Ubisoft has revealed new characters, spaceships and story details from Beyond Good & Evil 2 in a just-finished livestream.The discussion was led by Beyond Good & Evil creator and creative director Michel Ancel, alongside senior producer Guillaume
Bow Down to This Guy Who Walked Into Fire to Save a Rabbit -World News
Bow Down to This Guy Who Walked Into Fire to Save a Rabbit 7 days ago
He pulled off an impressive solo rescue mission in California.
Out, Out and Away! Russell Tovey on Playing a Gay Superhero -World News
Out, Out and Away! Russell Tovey on Playing a Gay Superhero 7 days ago
The actor lends his voice to a superhero who fights Nazis in “Freedom Fighters: The Ray,” a new CW Seed animated series.
‘Lock It OR Lose It’: Police in Ontario set to size up drivers’ crime prevention smarts -World News
‘Lock It OR Lose It’: Police in Ontario set to size up drivers’ crime prevention smarts 7 days ago
With holiday shopping in full swing, police forces across the province are reminding the public to “lock it or lose it.”
Hamilton police investigating ‘Hamilton Hero’ GoFundMe page -World News
Hamilton police investigating ‘Hamilton Hero’ GoFundMe page 7 days ago
The matter is being investigated by the Major Fraud Branch.
‘Hamilton’ Opens in London. Does Anyone Know Who Alexander Hamilton Is? -World News
‘Hamilton’ Opens in London. Does Anyone Know Who Alexander Hamilton Is? 7 days ago
Theatergoers were excited for the musical’s West End preview. Though many were hazy on the details of the founding father it’s named after.