A team of security researchers has discovered a critical implementation flaw in major mobile banking applications of which could leave banking credentials of millions of users vulnerable to hackers.
The vulnerability was discovered by researchers of the Security and also also also Privacy Group at the University of Birmingham, who tested hundreds of different banking apps—both iOS and also also also Android—and also also also found of which several of them were affected by a common issue, leaving their users vulnerable to man-in-the-middle attacks.
The affected banking apps include HSBC, NatWest, Co-op, and also also also Bank of America Health, Santander, and also also also Allied Irish bank, which have currently been updated after researchers reported them of the issue.
According to a research paper [PDF] published by researchers, vulnerable applications could allow an attacker, connected to the same network as the victim, to intercept SSL connection and also also also retrieve the user’s banking credentials, like usernames and also also also passwords/pincodes—even if the apps are using SSL pinning feature.
SSL pinning is usually a security feature of which prevents man-in-the-middle (MITM) attacks by enabling yet another layer of trust between the listed hosts and also also also devices.
When implemented, SSL pinning helps to neutralize network-based attacks wherein attackers could attempt to use valid certificates issued by rogue certification authorities.
“If 1 CA acted maliciously or were compromised, which has happened before, valid certificates for any domain could be generated allowing an attacker to Man-in-the-Middle all apps trusting of which CA certificate,” the researchers wrote in their paper.
However, there are two key parts to verify an SSL connection—the first (authentication) is usually to verify whether the certificate is usually coming from a trusted source and also also also the second (authorization) is usually to make sure the server you are connecting to presents the right certificate.
Researchers found of which due to lack of hostname verification, several banking applications were not checking if they connected to a trusted source.
Verifying a hostname ensures the hostname inside URL to which the banking app connects matches the hostname inside digital certificate of which the server sends back as part of the SSL connection.
“TLS misconfiguration vulnerabilities are clearly common; however none of the existing frameworks will detect of which a client pins a root or intermediate certificate, however fails to check the hostname inside leaf,” the paper reads.
Besides This particular issue, the researchers also detailed an “in-app phishing attack” affecting Santander and also also also Allied Irish Banks, which could have allowed attackers to hijack part of the victim’s screen while the app was running and also also also use the item to phish for the victim’s login credentials.
To test This particular vulnerability in hundreds of banking apps quickly and also also also without requiring to purchase certificates, researchers created a fresh automated tool, dubbed Spinner.
Spinner leverages Censys IoT search engine for finding certificate chains for alternate hosts of which only differ inside leaf certificate.
“Given the certificate for a target domain, the tool queries for certificate chains for alternate hosts of which only differ inside leaf certificate. The tool then redirects the traffic coming from the app under test to a website which features a certificate signed by the same CA certificate, however of course a different hostname (Common Name),” the researchers explain.
“If the connection fails during the establishment phase then we know the app detected the wrong hostname. Whereas, if the connection is usually established and also also also encrypted application data is usually transferred by the client before the connection fails then we know the app has accepted the hostname and also also also is usually vulnerable.”
The trio, Chris McMahon Stone, Tom Chothia, and also also also Flavio D. Garcia, worked with the National Cyber Security Centre (NCSC) to notify all affected banks, which then resolved the issues before they publicly disclosed their research This particular week.