A major new vulnerability dubbed "Eavesdropper" that poses a serious threat, exposing massive amounts of sensitive data to hackers has just been uncovered. Security experts found that hundreds of apps built around the Twilio service were affected by Eavesdropper. The flaw was caused by a simple developer error, which involved inadvertently exposing API credentials of hundreds of apps.
The flaw affected nearly 700 apps that have already been downloaded over 180 million times. The Eavesdropper doesn't depend on jailbreak, rooting, malware or known vulnerabilities instead it capitalises on a simple developer error to expose massive amounts of sensitive data. This means that hackers need no specialised tools to launch attacks and access the sensitive data.
The flaw exposes sensitive data including call records, SMS and MMS text messages and more, security researchers at Appthority found. The most alarming aspect of Eavesdropper is that it cannot be resolved simply by removing an affected app from users' device. Instead, the affected apps and their data remain exposed until their credentials are updated and secured.
"Eavesdropper poses a serious enterprise data threat because it allows an attacker to access confidential company information, which may include a range of sensitive information often shared in an enterprise environment, such as negotiations, pricing discussions, recruiting calls, product and technology disclosures, health diagnoses, market data or M&A planning," Seth Hardy, Appthority's director of security research, said in a statement. "An attacker could convert recorded audio files to text and search a massive data set for keywords and find valuable data."
Eavesdropper was uncovered in April but security experts at Appthority say that it has been present since 2011. Over 30% of the apps affected by the flaw were business-related. "The scope of the exposure is massive including hundreds of millions of call records, minutes of calls and audio recordings, and text messages," researchers said.