Eight banking apps and one virtual private app were found to contain a hidden vulnerability in their TLS protections, which could have been exploited to perform man-in-the-middle (MITM) attacks, according to academic researchers who created a new black-box tool capable of detecting the flaw.
A new report released by the University of Birmingham explains that the vulnerability in this instance was a lack of proper hostname verification -- a problem that is normally easy to detect, except when applications rely on a process called certificate pinning, which often conceals the flaw. (Certificate pinning is when developers choose to only accept certificates signed by a single pinned CA root certificate.)
Researchers Chris Stone, Tom Chothia, and Flavio Garcia observed this very scenario in a series of apps that collectively have been installed millions of times, including those issued by Bank of America and HSBC, as well as the popular TunnelBear VPN. Altogether, the nine affected apps were: Bank of America Health, TunnelBear VPN, Meezan Bank, and Smile Bank for Android, and HSBC, HSBC Business, HSBC Identity, HSBCnet, and HSBC Private for iOS. All of the companies involved repaired the flaw prior to the publishing of the paper.
Read the full story...