The vulnerability was discovered yesteryear researchers of the Security too Privacy Group at the University of Birmingham, who tested hundreds of dissimilar banking apps—both iOS too Android—and found that several of them were affected yesteryear a mutual issue, leaving their users vulnerable to man-in-the-middle attacks.
The affected banking apps include HSBC, NatWest, Co-op, Santander, too Allied Irish Gaelic bank, which direct keep forthwith been updated afterward researchers reported them of the issue.
According to a question newspaper [PDF] published yesteryear researchers, vulnerable applications could direct keep allowed an attacker, connected to the same network equally the victim, to intercept SSL connectedness too call back the user's banking credentials, similar usernames too passwords/pincodes—even if the apps are using SSL pinning feature.
SSL pinning is a safety characteristic that prevents man-in-the-middle (MITM) attacks yesteryear enabling an additional layer of trust betwixt the listed hosts too devices.
When implemented, SSL pinning helps to neutralize network-based attacks wherein attackers could endeavour to exercise valid certificates issued yesteryear rogue certification authorities.
"If a unmarried CA acted maliciously or were compromised, which has happened before, valid certificates for whatever domain could hold upwards generated allowing an assailant to Man-in-the-Middle all apps trusting that CA certificate," the researchers wrote inward their paper.However, in that place are 2 telephone commutation parts to verify an SSL connection—the outset (authentication) is to verify whether the certificate is from a trusted source too the 2nd (authorization) is to brand certain the server you lot are connecting to presents the correct certificate.
Researchers found that due to lack of hostname verification, several banking applications were non checking if they connected to a trusted source.
Verifying a hostname ensures the hostname inward the URL to which the banking app connects matches the hostname inward the digital certificate that the server sends dorsum equally role of the SSL connection.
"TLS misconfiguration vulnerabilities are clearly common; nevertheless none of the existing frameworks volition uncovering that a customer pins a root or intermediate certificate, exactly fails to banking concern check the hostname inward the leaf," the newspaper reads.Besides this issue, the researchers also detailed an "in-app phishing attack" affecting Santander too Allied Irish Gaelic Banks, which could direct keep allowed attackers to hijack role of the victim's concealment spell the app was running too exercise it to phish for the victim's login credentials.
To exam this vulnerability inward hundreds of banking apps apace too without requiring to buy certificates, researchers created a novel automated tool, dubbed Spinner.
"Given the certificate for a target domain, the tool queries for certificate chains for alternate hosts that exclusively differ inward the foliage certificate. The tool too then redirects the traffic from the app nether exam to a website which has a certificate signed yesteryear the same CA certificate, exactly of course of pedagogy a dissimilar hostname (Common Name)," the researchers explain.
"If the connectedness fails during the institution stage too then nosotros know the app detected the incorrect hostname. Whereas, if the connectedness is established too encrypted application information is transferred yesteryear the customer earlier the connectedness fails too then nosotros know the app has accepted the hostname too is vulnerable."The trio, Chris McMahon Stone, Tom Chothia, too Flavio D. Garcia, worked amongst the National Cyber Security Centre (NCSC) to notify all affected banks, which too then resolved the issues earlier they publicly disclosed their question this week.
Share This :
comment 0 Comments
more_vert