Some of the world’s most popular apps permit unlimited brute force password guessing attempts.
The 53 exposed Android and Apple apps, collectively downloaded more than 600 million times, include SoundCloud, ESPN, CNN, Expedia, and Walmart.
So far of the 15 apps named a dozen have failed to fix the server-side flaws after being given 30 days to act ahead of disclosure. The remaining apps will be named 30 July.
Developers for the popular apps Wunderlist, Dictionary, and Pocket implemented rate-limiting fixes to prevent multiple brute-force sign-in attempts after being informed of the vulnerabilities.
AppBugs researchers citing recent work (PDF) say attackers could take between 30 minutes to a month to break into most accounts.
“Password brute force vulnerability in a web service allows an attacker to make unlimited login attempts to the web service in order to guess the correct password of a victim user,” the researchers say.
View full story