Update (August 12, 2015): today we are releasing additional 34 apps which have the password brute force issue and passed the disclosure period. Overall, you will find 49 popular apps from this page. Many apps have not yet applied a fix. Those apps which have fixed the issue are labeled as "bug has been fixed" in green color. All of these apps are also exposed from our AppBugs Security Scan app for Android users. Moreover, we have discovered a 3rd batch of 42 apps and reported the issues to the app developers. We will also expose those apps through AppBugs Security Scan app once their disclosure period expires.
Update (July 23, 2015): the company of Slack app contacted AppBugs and told us that Slack app supports 2FA (two-factor authentication). AppBugs confirmed the claim: users can enable 2FA on its website and use it in the app. Here is the instruction: https://slack.zendesk.com/hc/en-us/articles/204509068-Enabling-two-factor-authentication. AppBugs suggests users who are concerned about this issue to enable 2FA. AppBugs has thus marked this issue in Slack app as "resolved".
What is password brute force?
Password brute force vulnerability in a web service allows an attacker to make unlimited login attempts to the web service in order to guess the correct password of a victim user. Even iCloud has been found to have had such a hole and it was rumored to be the cause of the massive celebrity hack happened in late 2014. AppBugs found 53 mobile apps (Android and iOS, approximately 600 million users impacted) have the password brute force issues in their web services and attackers can exploit the holes immediately to steal users passwords.
How to find out if you are impacted?
- You can search through the list of vulnerable apps we publish below and see whether you are using any of those apps.
- For Android users, use AppBugs app for Android to check whether you are running vulnerable apps. This app can detect many types of vulnerabilities, including the password brute force issues (results reported on this page), HTTPS defects (results reported by Ars Technica), social login vulnerabilities (results reported by VentureBeat), and other important issues.
- For iOS users, we are planning of developing an iOS app. Provide your name and email through this Contact Form. We will send you an email when we launch the iOS app.
- For companies who want the full list of vulnerable apps, send us an email at support AT appbugs.co. We can share the list with you after you sign a non-disclosure agreement with us.
AppBugs study: password brute force is a big issue and imminent threat to mobile app users
If iCloud can have such dangerous loophole, how about those mobile apps which authenticate users to their web services? AppBugs suspects this issue could be much more pervasive among those web services. To understand the extent of this issue, AppBugs randomly checked 100 popular apps which support password-protected web accounts. Each app must have over 1 million downloads in order to qualify for the test. AppBugs discovered that more than half of the apps (53 apps) have been confirmed to have this vulnerability. Every single issue is an imminent threat to all users using that app: once an attacker knows an app is vulnerable to brute force, this person can launch immediately attacks to guess user’s password from the web service of the vulnerable app on all user accounts.
Because the vulnerability is at the server side and most apps have both Android and iOS version, users from both platforms are largely impacted. Specifically, the vulnerable apps have been downloaded on Google Play more than 300 million times. Apple does not provide the number of downloads to public. From our experience when we talk about multiple Android apps their cumulative number is similar to the one of the iOS apps. Taking into account this assumption, the total number of impacted downloads is approximately 600 million.
Some developers have deployed WAF (Web Application Firewall) or equivalent rate limiting techniques on their web services which can somehow mitigate the brute force attacks. For example, Slack and Domino’s Pizza will reset connections from an IP when x number of connections (In AppBugs tests, the value of x was above 40) are made to their web services within a minute. Expedia blocks connection requests from IP addresses in a blacklist, including those from Tor network. However, any of those defenses cannot block the attackers. Resetting the connections will just slow down the attacks. The attacker can simply make less connections in every minute to circumvent the defense. Blocking some IP addresses will just force the attackers to use some other IP addresses. For real attackers with a botnet, this is totally not an issue.
How long does an attacker need to guess your password?
According to this study on 70 million passwords, the strength of user passwords typically contains 10-20 bits of security. This means that it only takes the attacker 1024-1048576 guesses to find the correct one. Assuming the attacker makes login attempts to the vulnerable service 30 times per minute, it takes him half hour to 24 days to guess a password, depending on the strength of the target password. This is a scary estimate. Attackers have no problem launching the attacks from multiple IP addresses on multiple user accounts in parallel and often can make guesses more than 30 times per minute. If today the attacker launches such attack against most user accounts in parallel, he will be able to get most user passwords within 24 days.
Users really care
AppBugs sees that mobile users are really concerned about the brute force issues because they pushed for bug fixes. AppBugs expose all uncovered vulnerabilities relevant to Android users to AppBugs app for Android (An iOS app is also in development and will be launched in a few months). Those vulnerabilities include the password brute force issues (results reported on this page), HTTPS defects (results reported by Ars Technica), social login vulnerabilities (results reported by VentureBeat), and other important issues. By using AppBugs app, some mobile users found the Dictionary app and Pocket app they were using had the password brute force issues. They worried and shared the vulnerability information shown in AppBugs app to the developers of Pocket and Dictionary to push for fixes. Both companies later made fixes and contacted us. AppBugs did tests to confirm their fixes and marked in our database that those apps are now safe to use.
For each vulnerability found, AppBugs immediately notified the affected app developers and allowed them 30 days to fix the issue before AppBugs publishes the results to the public. All apps which have passed the disclosure period have been published below. App developers with good reasons can request to extend the period for additional 60 days. Currently, there are 15 apps that passed that period. Only three of them (Wunderlist, Dictionary, and Pocket) have fixed the issue. AppBugs will release most of the apps on August 12 (Update: additional 34 apps have been released on August 12).
What you can do to protect yourself?
It is very difficult for the affected app user to protect himself/herself from the issue. It does not help if the user stops using the app or uninstalls it because the user credentials on the server remain unchanged and the attacker can still figure them out. If the app account is no longer needed to the user, AppBugs recommends disabling the account. The method for disabling an account varies from one app to another. Users need to contact the app developer if they cannot find out how to disable the account. If the account is still needed, the user can create a new very strong password with over 20 characters. Users should know that even a very strong password is still a temporary mitigation. The attacker can still guess the password, though it will take much longer time. The app developer needs to make a change on server side to finally fix the brute force issue.
If the app supports 2FA (two-factor authentication), the user can enable it to protect himself/herself. For those vulnerable apps AppBugs has tested, only the Slack app has been confirmed to have 2FA supported.