Researchers found a flaw in 13 Android apps’ security measures which could lead to over 100 million users’ personal information being exposed, while both VMware and WiFi were found to have vulnerabilities that could jeopardize their larger scale networks. This month’s cybersecurity roundup examines the flaws in the authentication keys, WiFi frames, and V12 configurations that threatened the safety of users’ private information.
100 million Android users exposed
A recent study into the cloud configurations of downloadable applications discovered that around 100 million Android users had personal data exposed due to a lack of proper security measures. Personal information such as names, emails, passwords, user IDs, and usernames were easily accessible from 13 apps’ databases. Since no proper form of authentication was in place, all researchers had to do was access the real-time database and go looking for users’ private information. The settings and properties of the apps were exposed as well, and could easily be accessed and changed by a hacker.
Additionally, apps use push notifications to get their users’ attention for important alerts, which require an APNs authentication key to ensure the message is from the correct sender. Instead of properly securing the keys behind a security system, they were found embedded within the code in the application file. This means that hackers could easily access the applications’ file code and steal the notification key to send malicious links to those with the application. Because the alert comes from the app itself, users would assume that it is safe and trust the fraudulent message. The access keys for apps’ cloud storage such as Screen Recorder were also available, which would have allowed actors to acquire videos from cloud storage.
For more information about how users’ information was exposed to potential attackers, see Check Point Research’s report.
Newly discovered WiFi vulnerability in centrally managed networks
Recently, a discovery into the security of WiFi networks uncovered a vulnerability that could affect large, centrally managed WiFi networks like those in universities and large companies. This collection of vulnerabilities has been given the name FragAttacks, or fragmentation and aggregation attacks, by its discoverers. These flaws can be used to complement a more sophisticated attack on a WiFi system. Most of these are vulnerabilities are due to design flaws in the WiFi standards that have persisted since WiFi’s release in 1997 and the WEP encryption, but some vulnerabilities remain in the latest WPA3 security.
The main vulnerability lies in performance optimization allowing a client to combine several WiFi frames into a single transmission. Access points will verify the first frame is valid, but not any following frames. Also consider that not all frames require authentication or encryption, even in encrypted networks; the initial handshake is a notable example of where the access point and client exchange capabilities. This attack uses the combination of automatically accepted additional packets with that initial handshake message to put unauthenticated packets into the network. The technique was tested on different devices by researchers, who found that nearly every device was susceptible to the form of attack. Protecting against this issue requires proper authentication of the “is aggregated” packets. Fixing this requires making a change to the protocol specification, which is risky for older devices that do not receive updates and may cause issues even with modern devices that use this feature until support is added.
The fragment cache attack is similar to the aggregated attack, as an injected fragment can be used to infiltrate the network. With hotspot-like networks such as eduroam and govroam particularly endangered, threat actors utilize non-reassembled fragments in WiFi devices which are often not cleared from device memory. Especially since fragment removal in memory isn’t a device requirement, attackers can join a WiFi network and leave behind a hostile fragment that can be assembled with an unsuspecting user’s information. Security researchers suggest removing fragments when disconnecting and (re)connecting to the network to reduce the chances of malicious reassembling.
For more information and vulnerabilities in WiFi networks, be sure to check out FragAttacks’s Report.
VMware vulnerability sits at 9.8/10 in severity rating
One of the most recent vulnerabilities in virtualization software has left security weakness in an abundance of systems’ defenses. VMware discovered that the vCenter servers using V12 configurations had a bug that allowed an attacker access into vCenter's webserver to remotely execute code without authentication— the worst type of vulnerability software can have. According to the VMware security response, the incident was a 9.8 out of 10 in severity rating and a critical concern. Once infiltrated, the compromised network became a conduit through which attackers could remotely take control of the network and obtain privileges of the vCenter server. Moreover, VMware has disclosed an attacker could perform remote code execution through their storage virtualization software vSAN, which ships as a default with vCenter Server.
Enlyft compiled a series of records that indicate over 43,000 companies used VMware vSphere for their data centers. Shodan searches scanned open ports and IP addresses across the world, and it was able to see which machines were subjected to public exposure. It catalogued that approximately 5,500 vCenter machines were exposed due to the bug.
Although not all versions of the program were affected, vCenter versions 6.5, 6.7, and 7.0 are known to contain the vulnerability. If not implemented already, vCenter users are advised to download and install the latest patch update immediately as VMware considers this exploit critical, a term they traditionally reserve for bugs capable of affecting host machines.
For more information on the issue, check out Arstechnica’s report and VMware’s customer support.
