Threat Actor: Unknown | unknown
Victim: Pic Stitch: Collage Maker | Pic Stitch: Collage Maker
Price: Potential data theft or manipulation
Exfiltrated Data Type: AWS credentials, user data
Key Points :
- Hardcoded and unencrypted AWS credentials found in multiple popular mobile apps.
- Pic Stitch app has over 5 million downloads and contains hardcoded AWS credentials for accessing an Amazon S3 bucket.
- Other affected apps include Crumbl, Eureka: Earn Money for Surveys, and Videoshop – Video Editor, which also expose sensitive cloud resources.
- Meru Cabs and Sulekha Business apps have hardcoded Microsoft Azure Blob Storage credentials, risking unauthorized access to critical cloud storage.
- Developers are urged to adopt better security practices, such as using environment variables and implementing secrets management.
Threat Actor: Unknown | unknown
Victim: Crumbl | Crumbl
Price: Potential data theft
Exfiltrated Data Type: AWS credentials
Key Points :
- Crumbl app uses plain-text AWS credentials, posing a significant security risk.
- Hardcoded WebSocket Secure (WSS) endpoint increases vulnerability to attacks.
- Millions of downloads and high ratings do not mitigate the security risks posed by hardcoded credentials.
Threat Actor: Unknown | unknown
Victim: Meru Cabs | Meru Cabs
Price: Potential unauthorized access to sensitive data
Exfiltrated Data Type: Microsoft Azure Blob Storage credentials
Key Points :
- Meru Cabs app has over 5 million downloads and contains hardcoded Microsoft Azure credentials.
- These credentials are used for managing log uploads, exposing critical cloud storage resources.
- Security risks are heightened due to the widespread use of these applications.
Threat Actor: Unknown | unknown
Victim: Sulekha Business | Sulekha Business
Price: Potential unauthorized access to sensitive data
Exfiltrated Data Type: Microsoft Azure Blob Storage credentials
Key Points :
- Sulekha Business app has been found to have hardcoded Azure Blob Storage credentials.
- This practice exposes sensitive data to potential abuse and unauthorized access.
- Developers are encouraged to adopt better security practices to mitigate these risks.
In a recent report by Symantec, a critical security issue has been uncovered in several widely-used mobile applications across both Android and iOS platforms. These apps have been found to contain hardcoded cloud service credentials, exposing users and backend services to significant security risks.
The report reveals that several popular mobile applications have hardcoded and unencrypted Amazon Web Services (AWS) and Microsoft Azure credentials within their source code. This dangerous practice means that attackers who gain access to the app’s binary or source code could easily extract these credentials, enabling unauthorized access to cloud resources, user data, and backend infrastructure.
One particularly concerning example is the Pic Stitch: Collage Maker app, which has over 5 million downloads on the Google Play Store. The app’s source code contains hardcoded AWS credentials that are used to access an Amazon S3 bucket, posing a significant risk of data theft or manipulation. As noted in the report, “If the boolean flag is set to true, the app loads the production credentials, including the production Amazon S3 bucket name, the read and write access keys, and secret keys,” leaving them vulnerable to exploitation.
Other apps, such as Crumbl, Eureka: Earn Money for Surveys, and Videoshop – Video Editor, also fall victim to this flaw. These apps, which collectively have millions of downloads and stellar user ratings, have been found to hardcode AWS credentials, exposing sensitive cloud resources to potential attacks. For instance, Crumbl’s use of plain-text credentials to configure AWS services, along with a hardcoded WebSocket Secure (WSS) endpoint, poses a significant security risk.
Similarly, on the Android side, apps like Meru Cabs and Sulekha Business have hardcoded Microsoft Azure Blob Storage credentials. The Meru Cabs app, with over 5 million downloads, uses these credentials to manage log uploads. This exposes critical cloud storage resources to potential abuse, making sensitive data highly vulnerable to unauthorized access.
Hardcoding credentials, especially without encryption, leaves apps wide open to attack. According to the report, “Anyone with access to the app’s binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches.” The problem is exacerbated by the widespread use of these apps, putting millions of users at risk.
To address this issue, developers need to adopt better security practices, such as:
- Use Environment Variables: Store sensitive credentials in environment variables loaded at runtime, rather than embedding them directly in the app’s source code.
- Implement Secrets Management: Leverage tools like AWS Secrets Manager or Azure Key Vault to securely store and access cloud service credentials.
- Encrypt Sensitive Data: If credentials must be stored, ensure they are encrypted using strong encryption algorithms, and only decrypt them when needed.
- Regular Code Reviews and Audits: Periodically review code for security vulnerabilities, such as hardcoded credentials, to mitigate risks early.
- Automate Security Scanning: Integrate security scanning tools into your CI/CD pipeline to catch potential vulnerabilities during the development process
Related Posts:
Original Source: https://securityonline.info/hardcoded-cloud-credentials-found-in-popular-mobile-apps-a-major-security-flaw/