The vulnerability was discovered past times researchers of the Security in addition to Privacy Group at the University of Birmingham, who tested hundreds of dissimilar banking apps—both iOS in addition to Android—and found that several of them were affected past times a mutual issue, leaving their users vulnerable to man-in-the-middle attacks.
The affected banking apps include HSBC, NatWest, Co-op, Santander, in addition to Allied Irish Gaelic bank, which direct keep at in i lawsuit been updated afterwards researchers reported them of the issue.
According to a query newspaper [PDF] published past times researchers, vulnerable applications could direct keep allowed an attacker, connected to the same network every bit the victim, to intercept SSL connectedness in addition to call upwardly the user's banking credentials, similar usernames in addition to passwords/pincodes—even if the apps are using SSL pinning feature.
SSL pinning is a safety characteristic that prevents man-in-the-middle (MITM) attacks past times enabling an additional layer of trust betwixt the listed hosts in addition to devices.
When implemented, SSL pinning helps to neutralize network-based attacks wherein attackers could endeavor to work valid certificates issued past times rogue certification authorities.
"If a unmarried CA acted maliciously or were compromised, which has happened before, valid certificates for whatsoever domain could live on generated allowing an assailant to Man-in-the-Middle all apps trusting that CA certificate," the researchers wrote inward their paper.However, at that spot are 2 cardinal parts to verify an SSL connection—the showtime (authentication) is to verify whether the certificate is from a trusted source in addition to the instant (authorization) is to brand certain the server yous are connecting to presents the correct certificate.
Researchers found that due to lack of hostname verification, several banking applications were non checking if they connected to a trusted source.
Verifying a hostname ensures the hostname inward the URL to which the banking app connects matches the hostname inward the digital certificate that the server sends dorsum every bit role of the SSL connection.
"TLS misconfiguration vulnerabilities are clearly common; yet none of the existing frameworks volition uncovering that a customer pins a root or intermediate certificate, only fails to cheque the hostname inward the leaf," the newspaper reads.Besides this issue, the researchers also detailed an "in-app phishing attack" affecting Santander in addition to Allied Irish Gaelic Banks, which could direct keep allowed attackers to hijack role of the victim's concealment spell the app was running in addition to work it to phish for the victim's login credentials.
To exam this vulnerability inward hundreds of banking apps chop-chop in addition to without requiring to buy certificates, researchers created a novel automated tool, dubbed Spinner.
"Given the certificate for a target domain, the tool queries for certificate chains for alternate hosts that entirely differ inward the leafage certificate. The tool hence redirects the traffic from the app nether exam to a website which has a certificate signed past times the same CA certificate, only of course of study a dissimilar hostname (Common Name)," the researchers explain.
"If the connectedness fails during the institution stage hence nosotros know the app detected the incorrect hostname. Whereas, if the connectedness is established in addition to encrypted application information is transferred past times the customer earlier the connectedness fails hence nosotros know the app has accepted the hostname in addition to is vulnerable."The trio, Chris McMahon Stone, Tom Chothia, in addition to Flavio D. Garcia, worked alongside the National Cyber Security Centre (NCSC) to notify all affected banks, which hence resolved the issues earlier they publicly disclosed their query this week.
