The company Symantec, specializing in cybersecurity, is sounding the alarm regarding easy access to millions of private information in a large number of applications, mainly under iOS.
The flaw would come in particular from the reuse of valid Amazon Web Services (AWS) tokens which would give access to a much wider range of information than that for which they were initially intended.
A supply chain problem
Symantec has listed 1,859 applications, 98% of them on iOS, with major security flaws caused by the reuse of hard-coded Amazon Web Services tokens. Indeed, in 53% of the applications examined by Symantec, we find the reuse of the same AWS credentials, increasing the vulnerability of this data tenfold. For Symantec, the problem comes from the supply chain, especially software development kits (SDKs), when coding applications.
As the firm explains, if the AWS code only gives access to a single file contained in the S3, the vulnerability is minimal, but this is not the case here. Among the examples, an SDK used by a B2B company not only allows access to its platform for its customers, but to all the cloud infrastructure keys of this same company. According to Symantec, the data of more than 15,000 large and medium-sized companies that are registered there would be inadvertently exposed, with information relating to customers as well as employees, or even financial records.
How did we get here? Symantec explains that “the company has hard-coded the AWS access token to access the AWS translation service. However, instead of limiting the use of the hard-coded access token with the translation cloud service, anyone with the token had full and unfettered access to all of the B2B enterprise’s AWS cloud services.“
Lots of sensitive information at risk
Although this may be mostly unintentional on the part of developers, the reuse of these tokens which open up total access to data on hundreds of different applications exponentially increases the risk of leakage. During its analysis, Symantec claims that 47% of the applications screened have AWS tokens which not only give access to the files desired during coding, in a private cloud space for example, but to millions of files contained in Amazon. Single Storage Service (S3).
Other examples illustrate the seriousness of the situation. The use of the vulnerable AI Digital Identity SDK by five same banking institution applications led to the exposure of biometric data, here the fingerprints, of more than 300,000 registered people. The good news is that Symantec has already alerted all the structures concerned.