Dozens of phone apps with more than 300 million downloads susceptible to brute force password hackingThe firm explained the following:

Security experts have long identified the advantage of restricting the number of unsuccessful login attempts that users can make to online accounts. While lawful users get locked out with such restrictions due to attackers unsuccessful login attempts users; however, such denial-of-service shortcoming are in most cases are overridden by the protection they give against online password cracking attempts, in which attackers in the hopes of trying the right one make huge numbers of password guesses against specific user accounts. Apple’s iCloud service, until last September, failed to restrict the number of login attempts to that service, a drawback that may have contributed to last year’s nude photo thefts and mass celebrity hack. In spite of Apple improving its ways, many smartphone apps still let users make an unlimited number of login attempts. That failure lets attackers to go through the long lists of the most commonly used passwords. Taking into consideration the difficulty of entering strong passwords on smartphone keyboards, it’s a likely bet that it wouldn’t be hard to compromise a statistically noteworthy number of accounts over a period of weeks. According to research from mobile security firm AppBugs, 100 of the most popular Android and iOS apps supporting password protected accounts were tested with each recording at least one million downloads contain no limits on the number of logins that can be attempted. Of these, the affected Android apps had been downloaded 300 million times. Even though Apple does not release such data, AppBugs estimated the download number for the affected iOS apps to be similar. It was surprising to discover that 53% had a password brute force susceptibility, that allowed attackers to guess away until they crack the credential.

The firm explained the following:

As per the company’s disclosure policy, AppBugs claimed to have notified each of the affected apps’ developers, giving them a total of 90 days to fix susceptibilities before making them public. Of the 15, that have passed that patching grace period, just three (Wanderlust, Dictionary and Pocket) fixed the issue at the time of AppBugs’ blog post. Still, the grace period has expired on at least 12 apps, including those from CNN, Walmart, Expedia, ESPN, Songza, Slack, Zillow, SoundCloud, iHeartRadio, Domino’s Pizza, AutoCAD, and Kobo. Three other apps, from Dictionary, Wunderlist, and Pocket, were found to be vulnerable; however, after AppBugs brought the weaknesses to the developers’ attention, they were later fixed. None of the apps tested support two-factor validation, hence, there is very little a user can do to lessen the susceptibility apart from disabling the app altogether. Apple’s iCloud service was widely found to have been exposing users via this susceptibility, before the firm patched it. It is time that app developers may want to consider two-factor validation as a means of preventing the compromise of user accounts.