In previous articles, we discussed at length the importance of securing both your home network, mobile devices and workstations, as well as the entirety of your organisation’s IT infrastructure. While these remain pivotal aspects of a well-run organisation’s core operations and cybersecurity planning, they still stand outside the product side of the business. In the below article, we will look at the security aspects related to applications and what must be taken into account when launching such a product, regardless of whether the application is the product itself or if the application aims to bolster the functionality of a pre-existing service.
How can an application be compromised?
There are a number of potential dangers entailed when launching any web-based applications, with some of them being interconnected, in that one vulnerability can then lead to a different type of potential exploit.
One of the most dangerous types of attack aimed at web applications is called an ‘injection’, due to the forced delivery of untrusted data which the application is tricked into receiving which then triggers the execution of a single or chain of commands which the application should not be executing.
A prominent example of an injection attack came in 2019 when WhatsApp, one of the most popular web messaging applications in the market allowed a group of malicious entities to exploit a vulnerability to install spyware on any affected party’s mobile device, predominantly smartphones.
The attack worked in such a way that the code could inject itself into the user’s phone regardless of whether they answered the unsolicited call they received. Moreover, the call would more often than not erase itself from any related logs so that users could not see the activity taking place.
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” a WhatsApp press release said at the time.
Another incident, which took place in 2018, involved the sports brand Under Armour-owned application MyFitnessPal, whose core feature was the ability to monitor one’s diet through the logging in of various fitness-related data points.
The exploit here is related to something usually called ‘Broken Authentication’, where the poor implementation of authentication-related functions resulted in the potential compromising of millions users and their passwords.
Though a number of those passwords were difficult to view due to the strength of the encryption, some were quite easy to compromise and were ultimately funnelled into the dark web for sale to any interested parties. Furthermore, hackers were also able to extract usernames and email addresses.
While there was enough sectionalization of user data to prevent the extraction of additional personally identifiable information, such as birthdays and location data, the damage was still significant. One of the reasons hackers were able to exploit this vulnerability was because developers used two different types of password encryption without realizing the risks involved, as the stronger encryption sacrificed speed for security while the second type of encryption could be implemented at faster speeds but was significantly weaker.
“My suspicion is that they upgraded from something terrible, SHA-1, to something less terrible, bcrypt, but had to keep the old data around for customers who hadn’t logged in recently,” opined Matthew Green, a cryptographer at Johns Hopkins University, at the time of the incident.
Additional Risks
Though the above two references pose prominent examples of major and well-funded web applications still falling prey to outside attacks and exploits, there are more ways in which an application can be compromised.
This includes the accidental deprioritization of security in terms of certain data deemed less sensitive than passwords and emails, such as the aforementioned personally identifiable information in the Under Armour incident. Though this data may not immediately be considered dangerous during an unwanted leak or extraction, it can be used at a later time to commit fraud or facilitate phishing.
Additional risks to the integrity and security of web-based applications involve the lacklustre and shoddy configuration of XML processors which can lead to exploitation from outside parties; misconfigured access levels between users and thus allowing certain users to view sensitive data which they should have been fenced off from; mistakes in the implementation of Cross-Site Scripting (XSS) which can result in malicious entities being allowed to execute scripts or manipulate the application into redirecting the user towards malicious websites, as well as the potential for a hacker to take full control of a user’s session while full authorization has already been given; as well as poorly set-up deserialization in a web application using object-oriented programming, which can lead to unwanted execution of malicious code from a remote party.
What can you do about it?
In the second part of this feature on web application threats and security, we will explore the steps an organisation can take in order to secure their application and minimize the potential of both a breach as well as any other form of compromise.
To read more articles please click here, while the full range of offensive services can be found on the Boltonshield website here.