U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Mobile apps still vulnerable to FREAK attacks

Despite principal vendors have released updates to fix the FREAK vulnerability many mobile apps for Android and Apple iOS are still vulnerable. Early March, security experts discovered a critical vulnerability codenamed FREAK (CVE-2015-0204), also known as Factoring Attack on RSA-EXPORT Keys, which could be exploited by threat actors to run  man-in-the-middle attacks on encrypted traffic when Internet users visited […]

Mobile apps still vulnerable to FREAK attacks

Despite principal vendors have released updates to fix the FREAK vulnerability many mobile apps for Android and Apple iOS are still vulnerable.

Early March, security experts discovered a critical vulnerability codenamed FREAK (CVE-2015-0204), also known as Factoring Attack on RSA-EXPORT Keys, which could be exploited by threat actors to run  man-in-the-middle attacks on encrypted traffic when Internet users visited supposedly secured websites.

By exploiting the FREAK flaw an attacker can force clients to use older and weaker encryption, then he can crack the traffic protected with 512-bit key encryption in a few hours. Once decrypted the traffic a threat actor can steal sensitive information or launch an attack by injecting malicious code.

Yesterday OpenSSL Team announced the presence of another critical vulnerability in the library that will be fixed with by a new update anticipated with an official advisory. Which is actual exposure to FREAK attacks for iOS and Android applications?

FireEye firm has published the report  that reveal a disconcerting reality,  despite vendors issued patched for Android and iOS, several apps are still vulnerable to FREAK attacks when connecting to servers that accept RSA_EXPORT cipher suites. Many iOS apps are still vulnerable to FREAK attack despite Apple has recently the iOS 8.2 version for its mobile devices.

“Even after vendors patch Android and iOS, such apps are still vulnerable to FREAK when connecting to servers that accept RSA_EXPORT cipher suites,” states FireEye in a blog post “That’s why some iOS apps are still vulnerable to FREAK attack after Apple fixed the iOS FREAK vulnerability in iOS 8.2 on March 9.”

FireEye scanned 10,985 popular Google Play Android apps and discovered that nearly 11.2 percent are vulnerable to the FREAK attack because they use a vulnerable OpenSSL library.

These 1228 apps have been downloaded over 6.3 billion times. Of these 1228 Android apps (1,228 apps), 664 use Android’s bundled OpenSSL library and 564 have their own compiled OpenSSL library. All these OpenSSL versions are vulnerable to FREAK.

Analyzing the vulnerable apps the researchers discovered that 664 applications are using Android’s bundled OpenSSL library and 564 custom compiled library.

The situation is better for Apple devices, only 771 of 14,000 apps scanned resulted vulnerable.

“These apps are vulnerable to FREAK attacks on iOS versions lower than 8.2,” the researchers wrote. “Seven these 771 apps have their own vulnerable versions of OpenSSL and they remain vulnerable on iOS 8.2.” continues the report.

The researchers have grouped the apps into several categories (photo and video apps, lifestyle, social networking, health fitness, finance, communication, shopping, business and medical apps), in the following graph is reported the number of vulnerable apps by category.

 

mobile apps vulnerable to FREAK attack

The report includes an example of the tests executed by FireEye, the experts tries the exploitation of the FREAK vulnerability affecting a popular shopping app. The researchers exploited the flaw to successfully steal user’s login credentials and credit card information.

Freak attack

 

Pierluigi Paganini

(Security Affairs – mobile apps, FREAK)