Resultados 1 a 2 de 2
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    [EN] Cloud backend exposure putting enterprise data at risk

    Appthority Discovers Backend Exposure of 43TB of Enterprise Data

    Seth Hardy
    May 31, 2017

    When protecting against mobile threats, the focus is typically on three familiar categories: apps, device threats, and network threats. Apps may exhibit risky behaviors, such as accessing personal data or sending passwords without encryption, or they may be outright malicious. Devices can be compromised, intentionally or not, and external network threats can intercept data in motion leaving the device.

    It’s understandable that in mobile security we focus on the device, the apps it runs, and the networks it connects to. But what happens to the data from there? Cloud computing and storage are ubiquitous, advertising networks are the default revenue model for many apps, and analytics frameworks are driving design and implementation decisions. We can’t ignore where the data goes. Like any other component of the larger system, these backend servers can introduce additional risk, often outside of a user’s view.

    In our 2017 Q1 Enterprise Mobile Threat Report, we highlighted Uber’s use of third-party apps and services that put users’ data at risk. In our 2017 Q2 Enterprise Mobile Threat Report, we’re taking a step back and looking at a simpler risk, but one far more prevalent within the mobile ecosystem: tracking data leakage through backend data stores that are unsecured. This vulnerability, which we are calling HospitalGown, can expose an enterprise to Big Data exfiltration, leakage of PII (personally identifiable information), and the potential for data being stolen and ransomed.

    Ranking Mobile Risks

    Recent high profile mobile threats, including targeted attacks, advertising fraud, and ransomware, show that there is a lot of focus on malware. These threats are real and directly impact users – but how do they affect enterprises? Most malware outbreaks are broadly targeted, and while they may steal data, perpetrate financial fraud against an individual, or encrypt personal data on a mobile device, they rarely target enterprise resources or infrastructure.

    On the other hand, the media and analysts are waiting for a breach where the smoking gun can be traced back to a mobile vulnerability. Until that happens, it can be difficult to make the case that mobile security is a high priority, and many organizations are relying exclusively on security features of the device’s operating system and associated app store.

    This just isn’t enough. Malware isn’t the only mobile threat; the greatest exposure from mobile devices is data leakage. Mobile apps often collect a large amount of PII that isn’t necessary for the app’s use, such as specifics about the device and the user’s physical location. This information can be used in spear phishing or watering hole attacks, or as reconnaissance for further network attacks.

    Many enterprises have determined that protection from data leakage due to mobile exploits should be their highest priority—and we believe they’re right.

    What is the HospitalGown Threat?

    HospitalGown is a vulnerability to data exposure caused, not by any code in the app, but by the app developers’ failure to properly secure the backend (hence its name) servers with which the app communicates and where sensitive data is stored.

    Why is HospitalGown a Threat?

    Apps that are vulnerable to HopsitalGown are doing what they are supposed to do – and this is why they are such a threat. These apps don’t compromise the device and aren’t under any kind of network attack. They don’t need to be sideloaded, and are available from reputable sources such as Google Play and the Apple App Store. Apps with this vulnerability aren’t malware, and they likely pass all mobile app reputation tests.

    And yet, these apps leak massive amounts of data. Our first case study, a security app, leaked about 8 GB of data, including over 16,000 customer records containing PII such as full customer names, email addresses, phone numbers, PIN reset tokens, device information, and password lengths. In our second case study, 4 GB of data revealed 36 million records including customer, partner, and government agency records from over 10 countries, and real-time telemetry data from large agricultural machinery.

    In total, we found almost 43 TB of data exposed and 1,000 apps affected by the HospitalGown vulnerability. Looking at a subset of 39 apps, we still found 280 million records exposed, a total of about 163 GB of data. This is a staggering amount of leaked information, and in some cases represents the entirety of customer or operational data for an enterprise.

    Our research has identified over 1,000 apps that expose data due to HospitalGown. These apps aren’t contrived examples made for demonstration, but are real apps found in Google Play and the Apple App Store – and more importantly, on our customers’ devices. Some have tens to hundreds of thousands of downloads. Because this vulnerability is tied to the backend infrastructure, it is not trackable by app version number; in most cases, an upgrade to the app won’t address the security risks. Even worse, if an app developer closes the vulnerability, it doesn’t secure the data already leaked.

    In all cases we’ve observed, this vulnerability has resulted from human error, not malicious intent. Our notification process responsibly disclosed information about the data exposure to app developers, and we worked with those that responded to close the vulnerabilities. In some cases, the issues were remediated immediately. Unfortunately, in others, we received no response and the data is still exposed.


    Some apps leak data by design. Many applications rely on cloud storage or processing of user data, especially with the limited computing resources available on mobile devices. A complicated ecosystem of SDKs, third-party software libraries, analytics frameworks, and advertising networks makes it harder to fully understand what data is being collected and where it is going. This, in turn, makes it harder to secure that data.

    The HospitalGown vulnerability isn’t just theoretical. Hundreds of apps are leaking terabytes of data, all due to simple human error – failure to secure the backend data stores. We recommend that, where possible, enterprises refrain from using apps that access or send sensitive information, particularly if the data is not encrypted in transit and at rest. If the use of an app impacted by HospitalGown is necessary, we suggest contacting the app developer or vendor to verify that the backend server has been secured.

    Appthority customers are protected against HospitalGown. In addition to our deep dynamic mobile threat detection, we have developed a new analysis engine component which scans the backend infrastructure connected to apps, looking for unsecured data stores. Our customers should remediate apps with the HospitalGown vulnerability until the app developers secure their data.

    Download the Full Report | “HospitalGown: The Backend Exposure Putting Enterprise Data at Risk”

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    Unsecured Cloud Back-Ends Still Pose Security Threat, New Report Says

    David Ramel


    Echoing the findings of a similar recent report, Appthority has published investigation results that found nearly 43 TB of enterprise data was exposed on cloud back-ends, including personally identifiable information (PII).


    The report mirrors the findings of an earlier report by RedLock Inc., which revealed many security issues primarily caused by user misconfigurations on public cloud platforms, with Amazon Web Services Inc. (AWS) figuring prominently. RedLock claimed it found 82 percent of hosted databases remain unencrypted, among many other problems.

    The AWS cloud was also mentioned in the new report from Appthority. One of the key findings of the report said: "The enterprise threat is real: The apps connect to unsecured databases on a range of popular enterprise services, including Elasticsearch and Amazon Web Services."

    Unsecured Elasticsearch servers and MongoDB databases were prime targets of a series of ransomware attacks earlier this year that generated widespread publicity in the security field. However, that publicity apparently wasn't enough to significantly alleviate the issue.

    "As our findings show, weakly secured back-ends in apps used by employees, partners and customers create a range of security risks including extensive data leaks of personally identifiable information (PII) and other sensitive data," the report states. "They also significantly increase the risk of spear phishing, brute force login, social engineering, data ransom, and other attacks. And, HospitalGown makes data access and exfiltration far easier than other types of attacks."

    Key findings of the report as listed by the company include:

    • Affected apps are connecting to unsecured data stores on popular enterprise services, such as Elasticsearch and MySQL, which are leaking large amounts of sensitive data.
    • Apps using just one of these services revealed almost 43TB of exposed data.
    • Multiple affected apps leaked some form of PII, including passwords, location, travel and payment details, corporate profile data (including employees' VPN PINs, emails, phone numbers), and retail customer data.
    • Enterprise security teams do not have visibility into the risk due to the risk's location in the mobile app vendor's architecture stack.
    • In multiple cases, data has already been accessed by unauthorized individuals and ransomed.
    • Even apps that have been removed from devices and the app stores still pose an exposure risk due to the sensitive data that remains stored on unsecured servers.

    The company said its Mobile Threat Team identified the HospitalGown vulnerabilities with a combination of its dynamic app analysis tool and a new back-end scanning method, looking at the network traffic on more than 1 million enterprise mobile apps, both iOS and Android.

    As with the misconfiguration problems identified in the RedLock report, Appthority emphasized that all cases of HospitalGown vulnerabilities were caused by human errors, not malicious intent or inherent infrastructure problems.

    Appthority said it disclosed information about the exposed data to app developers and to affected providers, such as AWS.

    "In some cases, the issues were remediated immediately," the company said. "Unfortunately, in others, we received no response and the data is still exposed."

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens